Analysis Overview
SHA256
5abf3503b34641acc788bf5eb39e44e85b7523ff744947d489fa9b236105c0aa
Threat Level: Known bad
The file 5abf3503b34641acc788bf5eb39e44e85b7523ff744947d489fa9b236105c0aa was found to be: Known bad.
Malicious Activity Summary
RisePro
Stealc
RedLine payload
Detect ZGRat V1
SectopRAT payload
Glupteba payload
Amadey
SectopRAT
ZGRat
RedLine
Glupteba
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Modifies Windows Firewall
Blocklisted process makes network request
Downloads MZ/PE file
Checks computer location settings
Reads local data of messenger clients
Reads WinSCP keys stored on the system
Checks BIOS information in registry
Executes dropped EXE
Loads dropped DLL
Reads data files stored by FTP clients
Identifies Wine through registry keys
Reads user/profile data of web browsers
Adds Run key to start application
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Manipulates WinMonFS driver.
Suspicious use of SetThreadContext
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
AutoIT Executable
Drops file in Windows directory
Launches sc.exe
Checks for VirtualBox DLLs, possible anti-VM trick
Enumerates physical storage devices
Program crash
Unsigned PE
Modifies registry class
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Modifies data under HKEY_USERS
Checks SCSI registry key(s)
Creates scheduled task(s)
Suspicious use of SendNotifyMessage
Modifies system certificate store
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Enumerates system info in registry
Uses Task Scheduler COM API
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Checks processor information in registry
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-04-27 18:32
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-27 18:32
Reported
2024-04-27 18:35
Platform
win10v2004-20240419-en
Max time kernel
143s
Max time network
53s
Command Line
Signatures
Amadey
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\5abf3503b34641acc788bf5eb39e44e85b7523ff744947d489fa9b236105c0aa.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\5abf3503b34641acc788bf5eb39e44e85b7523ff744947d489fa9b236105c0aa.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\5abf3503b34641acc788bf5eb39e44e85b7523ff744947d489fa9b236105c0aa.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\5abf3503b34641acc788bf5eb39e44e85b7523ff744947d489fa9b236105c0aa.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe | N/A |
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\5abf3503b34641acc788bf5eb39e44e85b7523ff744947d489fa9b236105c0aa.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5abf3503b34641acc788bf5eb39e44e85b7523ff744947d489fa9b236105c0aa.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\explorta.job | C:\Users\Admin\AppData\Local\Temp\5abf3503b34641acc788bf5eb39e44e85b7523ff744947d489fa9b236105c0aa.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5abf3503b34641acc788bf5eb39e44e85b7523ff744947d489fa9b236105c0aa.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5abf3503b34641acc788bf5eb39e44e85b7523ff744947d489fa9b236105c0aa.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4092 wrote to memory of 3460 | N/A | C:\Users\Admin\AppData\Local\Temp\5abf3503b34641acc788bf5eb39e44e85b7523ff744947d489fa9b236105c0aa.exe | C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe |
| PID 4092 wrote to memory of 3460 | N/A | C:\Users\Admin\AppData\Local\Temp\5abf3503b34641acc788bf5eb39e44e85b7523ff744947d489fa9b236105c0aa.exe | C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe |
| PID 4092 wrote to memory of 3460 | N/A | C:\Users\Admin\AppData\Local\Temp\5abf3503b34641acc788bf5eb39e44e85b7523ff744947d489fa9b236105c0aa.exe | C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\5abf3503b34641acc788bf5eb39e44e85b7523ff744947d489fa9b236105c0aa.exe
"C:\Users\Admin\AppData\Local\Temp\5abf3503b34641acc788bf5eb39e44e85b7523ff744947d489fa9b236105c0aa.exe"
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
"C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe"
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| RU | 193.233.132.139:80 | tcp | |
| RU | 193.233.132.139:80 | tcp | |
| US | 8.8.8.8:53 | g.bing.com | udp |
Files
memory/4092-0-0x0000000000090000-0x000000000053D000-memory.dmp
memory/4092-1-0x00000000778F4000-0x00000000778F6000-memory.dmp
memory/4092-2-0x0000000004A10000-0x0000000004A11000-memory.dmp
memory/4092-6-0x00000000049E0000-0x00000000049E1000-memory.dmp
memory/4092-7-0x00000000049F0000-0x00000000049F1000-memory.dmp
memory/4092-5-0x0000000004A40000-0x0000000004A41000-memory.dmp
memory/4092-4-0x0000000004A00000-0x0000000004A01000-memory.dmp
memory/4092-3-0x0000000004A20000-0x0000000004A21000-memory.dmp
memory/4092-10-0x0000000004A60000-0x0000000004A61000-memory.dmp
memory/4092-9-0x0000000004A70000-0x0000000004A71000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
| MD5 | c6c67eb559da36d1059124e4f58f5693 |
| SHA1 | 98660ff111c1632bc86e96630122cd819593de60 |
| SHA256 | 5abf3503b34641acc788bf5eb39e44e85b7523ff744947d489fa9b236105c0aa |
| SHA512 | e1378319c487ecdd24541ca374465363c074831cb06fcbc8bf72512d9df7d77a66a5857e829bbdd1e4e3abe377668e93fa1418f6ff54effb72cefc823d09ccbb |
memory/4092-22-0x0000000000090000-0x000000000053D000-memory.dmp
memory/3460-23-0x0000000000A10000-0x0000000000EBD000-memory.dmp
memory/3460-25-0x00000000050C0000-0x00000000050C1000-memory.dmp
memory/3460-26-0x00000000050F0000-0x00000000050F1000-memory.dmp
memory/3460-24-0x00000000050B0000-0x00000000050B1000-memory.dmp
memory/3460-28-0x00000000050A0000-0x00000000050A1000-memory.dmp
memory/3460-27-0x0000000005080000-0x0000000005081000-memory.dmp
memory/3460-30-0x00000000050E0000-0x00000000050E1000-memory.dmp
memory/3460-29-0x0000000005090000-0x0000000005091000-memory.dmp
memory/3460-32-0x0000000005100000-0x0000000005101000-memory.dmp
memory/3460-31-0x0000000005110000-0x0000000005111000-memory.dmp
memory/3460-33-0x0000000000A10000-0x0000000000EBD000-memory.dmp
memory/1080-35-0x0000000000A10000-0x0000000000EBD000-memory.dmp
memory/3460-36-0x0000000000A10000-0x0000000000EBD000-memory.dmp
memory/1080-37-0x0000000004B90000-0x0000000004B91000-memory.dmp
memory/1080-42-0x0000000004B80000-0x0000000004B81000-memory.dmp
memory/1080-41-0x0000000004B60000-0x0000000004B61000-memory.dmp
memory/1080-40-0x0000000004B50000-0x0000000004B51000-memory.dmp
memory/1080-39-0x0000000004BB0000-0x0000000004BB1000-memory.dmp
memory/1080-38-0x0000000004B70000-0x0000000004B71000-memory.dmp
memory/1080-43-0x0000000000A10000-0x0000000000EBD000-memory.dmp
memory/3460-44-0x0000000000A10000-0x0000000000EBD000-memory.dmp
memory/3460-45-0x0000000000A10000-0x0000000000EBD000-memory.dmp
memory/3460-46-0x0000000000A10000-0x0000000000EBD000-memory.dmp
memory/3460-47-0x0000000000A10000-0x0000000000EBD000-memory.dmp
memory/3460-48-0x0000000000A10000-0x0000000000EBD000-memory.dmp
memory/3460-49-0x0000000000A10000-0x0000000000EBD000-memory.dmp
memory/4940-51-0x0000000000A10000-0x0000000000EBD000-memory.dmp
memory/4940-52-0x0000000000A10000-0x0000000000EBD000-memory.dmp
memory/3460-53-0x0000000000A10000-0x0000000000EBD000-memory.dmp
memory/3460-54-0x0000000000A10000-0x0000000000EBD000-memory.dmp
memory/3460-55-0x0000000000A10000-0x0000000000EBD000-memory.dmp
memory/3460-56-0x0000000000A10000-0x0000000000EBD000-memory.dmp
memory/3460-57-0x0000000000A10000-0x0000000000EBD000-memory.dmp
memory/3460-58-0x0000000000A10000-0x0000000000EBD000-memory.dmp
memory/5012-60-0x0000000000A10000-0x0000000000EBD000-memory.dmp
memory/5012-61-0x0000000000A10000-0x0000000000EBD000-memory.dmp
memory/3460-62-0x0000000000A10000-0x0000000000EBD000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-27 18:32
Reported
2024-04-27 18:35
Platform
win11-20240426-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
Amadey
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
RisePro
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Stealc
ZGRat
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\5abf3503b34641acc788bf5eb39e44e85b7523ff744947d489fa9b236105c0aa.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\1000015001\amert.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\1000017002\9b16ff0cfd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Downloads MZ/PE file
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\5abf3503b34641acc788bf5eb39e44e85b7523ff744947d489fa9b236105c0aa.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\5abf3503b34641acc788bf5eb39e44e85b7523ff744947d489fa9b236105c0aa.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\1000017002\9b16ff0cfd.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\1000015001\amert.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\1000015001\amert.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\1000017002\9b16ff0cfd.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe | N/A |
Executes dropped EXE
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\5abf3503b34641acc788bf5eb39e44e85b7523ff744947d489fa9b236105c0aa.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\1000015001\amert.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Software\Wine | C:\Users\Admin\1000017002\9b16ff0cfd.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u4eg.2\run.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u4eg.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u4eg.0.exe | N/A |
Reads WinSCP keys stored on the system
Reads data files stored by FTP clients
Reads local data of messenger clients
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Software\Microsoft\Windows\CurrentVersion\Run\1080f4ac44.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000016001\\1080f4ac44.exe" | C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Software\Microsoft\Windows\CurrentVersion\Run\9b16ff0cfd.exe = "C:\\Users\\Admin\\1000017002\\9b16ff0cfd.exe" | C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" | C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" | C:\Windows\rss\csrss.exe | N/A |
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Manipulates WinMonFS driver.
| Description | Indicator | Process | Target |
| File opened for modification | \??\WinMonFS | C:\Windows\rss\csrss.exe | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5abf3503b34641acc788bf5eb39e44e85b7523ff744947d489fa9b236105c0aa.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000015001\amert.exe | N/A |
| N/A | N/A | C:\Users\Admin\1000017002\9b16ff0cfd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3268 set thread context of 3604 | N/A | C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| PID 2364 set thread context of 3832 | N/A | C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| PID 5128 set thread context of 5244 | N/A | C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| PID 5180 set thread context of 5348 | N/A | C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| PID 5644 set thread context of 5948 | N/A | C:\Users\Admin\AppData\Local\Temp\u4eg.2\run.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 5948 set thread context of 5616 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Checks for VirtualBox DLLs, possible anti-VM trick
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\VBoxMiniRdrDN | C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\explorta.job | C:\Users\Admin\AppData\Local\Temp\5abf3503b34641acc788bf5eb39e44e85b7523ff744947d489fa9b236105c0aa.exe | N/A |
| File created | C:\Windows\Tasks\chrosha.job | C:\Users\Admin\AppData\Local\Temp\1000015001\amert.exe | N/A |
| File opened for modification | C:\Windows\rss | C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe | N/A |
| File created | C:\Windows\rss\csrss.exe | C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe | N/A |
| File created | C:\Windows\windefender.exe | C:\Windows\rss\csrss.exe | N/A |
| File opened for modification | C:\Windows\windefender.exe | C:\Windows\rss\csrss.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Enumerates physical storage devices
Program crash
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\1000229001\toolspub1.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\1000229001\toolspub1.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\1000229001\toolspub1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\u4eg.3.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\u4eg.3.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\u4eg.3.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\u4eg.0.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\u4eg.0.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time" | C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time" | C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2871 = "Magallanes Daylight Time" | C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2871 = "Magallanes Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time" | C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1021 = "Bangladesh Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-41 = "E. South America Daylight Time" | C:\Windows\windefender.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-791 = "SA Western Daylight Time" | C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-171 = "Central Daylight Time (Mexico)" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time" | C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time" | C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1022 = "Bangladesh Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-172 = "Central Standard Time (Mexico)" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-332 = "E. Europe Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1801 = "Line Islands Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time" | C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1831 = "Russia TZ 2 Daylight Time" | C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2591 = "Tocantins Daylight Time" | C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-3141 = "South Sudan Daylight Time" | C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-448 = "Azerbaijan Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2322 = "Sakhalin Standard Time" | C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2451 = "Saint Pierre Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time" | C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-621 = "Korea Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time" | C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time" | C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time" | C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2751 = "Tomsk Daylight Time" | C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2452 = "Saint Pierre Standard Time" | C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-982 = "Kamchatka Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time" | C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2321 = "Sakhalin Daylight Time" | C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time" | C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-271 = "Greenwich Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1972 = "Belarus Standard Time" | C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time" | C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time" | C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-671 = "AUS Eastern Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-32 = "Mid-Atlantic Standard Time" | C:\Windows\windefender.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1696768468-2170909707-4198977321-1000\{301419F8-90A5-4B39-B71B-3F9DDB7D61F1} | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 | C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 | C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u4eg.2\run.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u4eg.2\run.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u4eg.2\run.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\5abf3503b34641acc788bf5eb39e44e85b7523ff744947d489fa9b236105c0aa.exe
"C:\Users\Admin\AppData\Local\Temp\5abf3503b34641acc788bf5eb39e44e85b7523ff744947d489fa9b236105c0aa.exe"
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
"C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe"
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
"C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe"
C:\Users\Admin\AppData\Local\Temp\1000015001\amert.exe
"C:\Users\Admin\AppData\Local\Temp\1000015001\amert.exe"
C:\Users\Admin\AppData\Local\Temp\1000016001\1080f4ac44.exe
"C:\Users\Admin\AppData\Local\Temp\1000016001\1080f4ac44.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb02e8ab58,0x7ffb02e8ab68,0x7ffb02e8ab78
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1556 --field-trial-handle=1724,i,5863915179814669781,15516419314344437433,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2072 --field-trial-handle=1724,i,5863915179814669781,15516419314344437433,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2124 --field-trial-handle=1724,i,5863915179814669781,15516419314344437433,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3012 --field-trial-handle=1724,i,5863915179814669781,15516419314344437433,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3152 --field-trial-handle=1724,i,5863915179814669781,15516419314344437433,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4240 --field-trial-handle=1724,i,5863915179814669781,15516419314344437433,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3220 --field-trial-handle=1724,i,5863915179814669781,15516419314344437433,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4472 --field-trial-handle=1724,i,5863915179814669781,15516419314344437433,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4484 --field-trial-handle=1724,i,5863915179814669781,15516419314344437433,131072 /prefetch:8
C:\Users\Admin\1000017002\9b16ff0cfd.exe
"C:\Users\Admin\1000017002\9b16ff0cfd.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4872 --field-trial-handle=1724,i,5863915179814669781,15516419314344437433,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4988 --field-trial-handle=1724,i,5863915179814669781,15516419314344437433,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5152 --field-trial-handle=1724,i,5863915179814669781,15516419314344437433,131072 /prefetch:8
C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe
C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe
"C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3268 -ip 3268
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3268 -s 888
C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe
"C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2364 -ip 2364
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2364 -s 404
C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe
"C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe"
C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe
"C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe"
C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe
"C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 200 -p 5128 -ip 5128
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5128 -s 396
C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe
"C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewB.exe /TR "C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe" /F
C:\Users\Admin\AppData\Local\Temp\1000228001\ISetup8.exe
"C:\Users\Admin\AppData\Local\Temp\1000228001\ISetup8.exe"
C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe
"C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe"
C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exe
"C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exe"
C:\Users\Admin\AppData\Local\Temp\1000229001\toolspub1.exe
"C:\Users\Admin\AppData\Local\Temp\1000229001\toolspub1.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 5256 -ip 5256
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5256 -s 384
C:\Users\Admin\AppData\Local\Temp\1000231001\lie.exe
"C:\Users\Admin\AppData\Local\Temp\1000231001\lie.exe"
C:\Users\Admin\AppData\Local\Temp\u4eg.0.exe
"C:\Users\Admin\AppData\Local\Temp\u4eg.0.exe"
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main
C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main
C:\Windows\system32\netsh.exe
netsh wlan show profiles
C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe
"C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe"
C:\Users\Admin\AppData\Local\Temp\u4eg.2\run.exe
"C:\Users\Admin\AppData\Local\Temp\u4eg.2\run.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\696768468217_Desktop.zip' -CompressionLevel Optimal
C:\Users\Admin\AppData\Local\Temp\u4eg.3.exe
"C:\Users\Admin\AppData\Local\Temp\u4eg.3.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 5704 -ip 5704
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5704 -s 1516
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll, Main
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "RegAsm.exe"
C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe
"C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe"
C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
"C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe
C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 5828 -ip 5828
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5828 -s 2100
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\windefender.exe
C:\Windows\windefender.exe
C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe
C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
Network
| Country | Destination | Domain | Proto |
| RU | 193.233.132.139:80 | 193.233.132.139 | tcp |
| RU | 193.233.132.167:80 | 193.233.132.167 | tcp |
| US | 8.8.8.8:53 | 139.132.233.193.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.132.233.193.in-addr.arpa | udp |
| GB | 142.250.179.238:443 | www.youtube.com | tcp |
| NL | 173.194.69.84:443 | accounts.google.com | udp |
| GB | 142.250.179.234:443 | content-autofill.googleapis.com | tcp |
| US | 8.8.8.8:53 | 234.179.250.142.in-addr.arpa | udp |
| GB | 172.217.16.238:443 | accounts.youtube.com | tcp |
| GB | 142.250.178.4:443 | www.google.com | udp |
| GB | 142.250.178.4:443 | www.google.com | tcp |
| GB | 172.217.16.238:443 | accounts.youtube.com | udp |
| N/A | 224.0.0.251:5353 | udp | |
| RU | 193.233.132.167:80 | 193.233.132.167 | tcp |
| US | 104.21.67.211:443 | affordcharmcropwo.shop | tcp |
| US | 172.67.185.32:443 | cleartotalfisherwo.shop | tcp |
| US | 172.67.199.191:443 | worryfillvolcawoi.shop | tcp |
| US | 172.67.183.226:443 | enthusiasimtitleow.shop | tcp |
| US | 104.21.22.160:443 | dismissalcylinderhostw.shop | tcp |
| US | 104.21.23.143:443 | diskretainvigorousiw.shop | tcp |
| US | 104.21.83.19:443 | communicationgenerwo.shop | tcp |
| GB | 142.250.187.206:443 | www.youtube.com | tcp |
| GB | 142.250.187.206:443 | www.youtube.com | udp |
| US | 172.67.144.218:443 | pillowbrocccolipe.shop | tcp |
| US | 172.67.150.207:443 | productivelookewr.shop | tcp |
| DE | 185.172.128.19:80 | 185.172.128.19 | tcp |
| DE | 185.172.128.33:8970 | tcp | |
| US | 172.67.147.41:443 | tolerateilusidjukl.shop | tcp |
| DE | 185.172.128.19:80 | 185.172.128.19 | tcp |
| DE | 185.172.128.59:80 | 185.172.128.59 | tcp |
| US | 104.21.95.19:443 | shatterbreathepsw.shop | tcp |
| US | 104.21.16.225:443 | shortsvelventysjo.shop | tcp |
| RU | 194.87.210.219:80 | file-host-host0.com | tcp |
| DE | 185.172.128.90:80 | 185.172.128.90 | tcp |
| US | 172.67.218.63:443 | incredibleextedwj.shop | tcp |
| RU | 185.215.113.67:26260 | tcp | |
| US | 104.21.48.243:443 | alcojoldwograpciw.shop | tcp |
| US | 172.67.192.138:443 | liabilitynighstjsko.shop | tcp |
| DE | 185.172.128.228:80 | 185.172.128.228 | tcp |
| US | 104.21.84.71:443 | parrotflight.com | tcp |
| FR | 52.143.157.84:80 | 52.143.157.84 | tcp |
| DE | 185.172.128.59:80 | 185.172.128.59 | tcp |
| US | 104.21.33.174:443 | demonstationfukewko.shop | tcp |
| US | 8.8.8.8:53 | 174.33.21.104.in-addr.arpa | udp |
| RU | 193.233.132.167:80 | 193.233.132.167 | tcp |
| RO | 176.97.76.106:80 | note.padd.cn.com | tcp |
| US | 104.21.92.190:443 | junglethomas.com | tcp |
| DE | 185.172.128.228:80 | 185.172.128.228 | tcp |
| RU | 193.233.132.167:80 | 193.233.132.167 | tcp |
| US | 20.157.87.45:80 | svc.iolo.com | tcp |
| RU | 193.233.132.167:80 | 193.233.132.167 | tcp |
| US | 172.67.155.93:443 | palmeventeryjusk.shop | tcp |
| US | 104.21.75.133:443 | entitlementappwo.shop | tcp |
| US | 172.67.145.57:443 | economicscreateojsu.shop | tcp |
| US | 104.21.70.22:443 | pushjellysingeywus.shop | tcp |
| US | 172.67.135.202:443 | absentconvicsjawun.shop | tcp |
| US | 172.67.214.60:443 | suitcaseacanehalk.shop | tcp |
| DE | 185.172.128.62:80 | 185.172.128.62 | tcp |
| US | 104.21.9.123:443 | bordersoarmanusjuw.shop | tcp |
| US | 104.21.22.58:443 | mealplayerpreceodsju.shop | tcp |
| US | 104.21.52.82:443 | wifeplasterbakewis.shop | tcp |
| FR | 185.93.2.245:443 | download.iolo.net | tcp |
| US | 20.157.87.45:80 | svc.iolo.com | tcp |
| US | 20.9.155.145:443 | westus2-2.in.applicationinsights.azure.com | tcp |
| RU | 91.215.85.66:15647 | tcp | |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| BG | 185.82.216.96:443 | server3.filesdumpplace.org | tcp |
| US | 3.33.249.248:3478 | stun.sipgate.net | udp |
| US | 172.67.221.71:443 | carsalessystem.com | tcp |
| RU | 91.215.85.66:15647 | tcp | |
| BG | 185.82.216.96:443 | server3.filesdumpplace.org | tcp |
Files
memory/3912-0-0x0000000000240000-0x00000000006ED000-memory.dmp
memory/3912-1-0x0000000077DB6000-0x0000000077DB8000-memory.dmp
memory/3912-3-0x00000000052D0000-0x00000000052D1000-memory.dmp
memory/3912-2-0x00000000052E0000-0x00000000052E1000-memory.dmp
memory/3912-4-0x0000000005310000-0x0000000005311000-memory.dmp
memory/3912-5-0x00000000052B0000-0x00000000052B1000-memory.dmp
memory/3912-6-0x00000000052C0000-0x00000000052C1000-memory.dmp
memory/3912-8-0x0000000005340000-0x0000000005341000-memory.dmp
memory/3912-9-0x0000000005330000-0x0000000005331000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
| MD5 | c6c67eb559da36d1059124e4f58f5693 |
| SHA1 | 98660ff111c1632bc86e96630122cd819593de60 |
| SHA256 | 5abf3503b34641acc788bf5eb39e44e85b7523ff744947d489fa9b236105c0aa |
| SHA512 | e1378319c487ecdd24541ca374465363c074831cb06fcbc8bf72512d9df7d77a66a5857e829bbdd1e4e3abe377668e93fa1418f6ff54effb72cefc823d09ccbb |
memory/3912-21-0x0000000000240000-0x00000000006ED000-memory.dmp
memory/2772-22-0x0000000000490000-0x000000000093D000-memory.dmp
memory/2772-25-0x0000000004DE0000-0x0000000004DE1000-memory.dmp
memory/2772-28-0x0000000004DD0000-0x0000000004DD1000-memory.dmp
memory/2772-27-0x0000000004DC0000-0x0000000004DC1000-memory.dmp
memory/2772-26-0x0000000004E20000-0x0000000004E21000-memory.dmp
memory/2772-23-0x0000000004DF0000-0x0000000004DF1000-memory.dmp
memory/2772-24-0x0000000004E00000-0x0000000004E01000-memory.dmp
memory/2772-30-0x0000000004E40000-0x0000000004E41000-memory.dmp
memory/2772-29-0x0000000004E50000-0x0000000004E51000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000015001\amert.exe
| MD5 | 1bd74ec32d03840b8c1771d9ad21581b |
| SHA1 | 7e98aa9a833f87fe6b47bccae7cd9b9f9dce5ac4 |
| SHA256 | fdc8b8226851d803b72dc51e837b0af61ea2dad3796e592f5e66af3f84f83814 |
| SHA512 | da5473d44a865774c2af86e61e5f8d4806bd151a709339290e79a623a2d43f3c85d45ae6b982d3b0d31dd4894919fe75ef98482b8240a1bebcc60709388a6b16 |
memory/556-48-0x0000000000A10000-0x0000000000ED6000-memory.dmp
memory/556-54-0x0000000000A10000-0x0000000000ED6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000016001\1080f4ac44.exe
| MD5 | 573f71ffff5af9ebedda301477dd854f |
| SHA1 | a21ff59592bda1bd7daa7fe9bca86599d83b45f1 |
| SHA256 | aff82ef31422a3a3a4cddc302f63d4666e2fdeb307b3f5719a8069bd3dda40d8 |
| SHA512 | 6717f10cf0e6f38cac8c6cab1fa55a0d584d1c8b8a3e8590f9622e2f7e82e41f2afd63663d528ad43af0ac1dd511fa01614c00590525dd194c4e3e01b59cba24 |
\??\pipe\crashpad_3572_GFJQXJAEEDNELRHX
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
| MD5 | d751713988987e9331980363e24189ce |
| SHA1 | 97d170e1550eee4afc0af065b78cda302a97674c |
| SHA256 | 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945 |
| SHA512 | b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af |
C:\Users\Admin\1000017002\9b16ff0cfd.exe
| MD5 | 284eae30acd3dc873f3dafe17b5808f4 |
| SHA1 | 17a373e95def586de7da03eccf683113687b620c |
| SHA256 | 87b01da26c7560632f167b214b031e25277246d93e54525334d3fd0feebebb4c |
| SHA512 | 163b6bcfca1cdbd97aa5975dabdfcc4a6063fc3c784a36e1d5fa493a919a507a2f2b85298ea106d17a4b677c70d73e31cbbf59bc4117db36ea6592cb4357abd7 |
memory/2772-137-0x0000000000490000-0x000000000093D000-memory.dmp
memory/1688-138-0x00000000001B0000-0x0000000000799000-memory.dmp
memory/3996-147-0x00000000000F0000-0x00000000005B6000-memory.dmp
memory/2772-146-0x0000000000490000-0x000000000093D000-memory.dmp
memory/1468-149-0x0000000000490000-0x000000000093D000-memory.dmp
memory/1468-152-0x0000000000490000-0x000000000093D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe
| MD5 | 1c7d0f34bb1d85b5d2c01367cc8f62ef |
| SHA1 | 33aedadb5361f1646cffd68791d72ba5f1424114 |
| SHA256 | e9e09c5e5d03d21fca820bd9b0a0ea7b86ab9e85cdc9996f8f1dc822b0cc801c |
| SHA512 | 53bf85d2b004f69bbbf7b6dc78e5f021aba71b6f814101c55d3bf76e6d058a973bc58270b6b621b2100c6e02d382f568d1e96024464e8ea81e6db8ccd948679d |
memory/3268-172-0x0000000000010000-0x0000000000062000-memory.dmp
memory/3604-175-0x0000000000400000-0x000000000044C000-memory.dmp
memory/3604-177-0x0000000000400000-0x000000000044C000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 7f5e78e21dacd6cc09d83a68d48bbe88 |
| SHA1 | c52e5e2c3c786e355b25d6eff65a137fd740b5b2 |
| SHA256 | 787d2c9f6b22c9f6395bd6cfa55f5bedccb7aacfa7e5c6952e5fbc8fdba061a1 |
| SHA512 | a9a77b51f3d9cc6360bd626e4eb0911be91f8d86609c9a2835432a04589da36b17b36ae3fdf9cea5ef20e9eb709bcbea174db8cd190a1093fa319c1418e675ce |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 0513dbbadcc0959c15c4696414b18076 |
| SHA1 | da6227135d13ddbd62291619944898aa3f482f7c |
| SHA256 | f3fbdc05eaed1b33826e0bde23e5ef026412a11d99b1159b7a9a143d2a40d5ae |
| SHA512 | 01bef0df4025ca8d243b77433372bb0a186676b7975b48e9789955da66e60d1a56fb88781772cdf6a2274ac84de72c0598b704d36787234a8bef8429327a0b1d |
C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe
| MD5 | 31841361be1f3dc6c2ce7756b490bf0f |
| SHA1 | ff2506641a401ac999f5870769f50b7326f7e4eb |
| SHA256 | 222393a4ab4b2ae83ca861faee6df02ac274b2f2ca0bed8db1783dd61f2f37ee |
| SHA512 | 53d66fa19e8db360042dadc55caaa9a1ca30a9d825e23ed2a58f32834691eb2aaaa27a4471e3fc4d13e201accc43160436ed0e9939df1cc227a62a09a2ae0019 |
memory/3832-204-0x0000000000400000-0x0000000000592000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | c3c65487505099558aab16f6e59dcc4a |
| SHA1 | 9bef50f9bbfda364bce2813c0f69dc62b7bab077 |
| SHA256 | 83b038d5bf2a7abaa7435af9c981193952552f2385e9c087ab85f464bc795c0e |
| SHA512 | 27222520522514f022f55c0c21fc2b181e885774f2faf2156f285876f3d9f2a5f5af8c257d4dc4f20e091bb5507644339cea6a39b74068ef2cd901e94c322c6c |
C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe
| MD5 | 20ae0bb07ba77cb3748aa63b6eb51afb |
| SHA1 | 87c468dc8f3d90a63833d36e4c900fa88d505c6d |
| SHA256 | daf6ae706fc78595f0d386817a0f8a3a7eb4ec8613219382b1cbaa7089418e7d |
| SHA512 | db315e00ce2b2d5a05cb69541ee45aade4332e424c4955a79d2b7261ab7bd739f02dc688224f031a7a030c92fa915d029538e236dbd3c28b8d07d1265a52e5b2 |
C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe
| MD5 | 0c582da789c91878ab2f1b12d7461496 |
| SHA1 | 238bd2408f484dd13113889792d6e46d6b41c5ba |
| SHA256 | a6ab532816fbb0c9664c708746db35287aaa85cbb417bef2eafcd9f5eaf7cf67 |
| SHA512 | a1b7c5c13462a7704ea2aea5025d1cb16ddd622fe1e2de3bbe08337c271a4dc8b9be2eae58a4896a7df3ad44823675384dbc60bdc737c54b173909be7a0a086a |
memory/4556-231-0x0000000000D20000-0x0000000000D72000-memory.dmp
memory/4556-232-0x0000000005D60000-0x0000000006306000-memory.dmp
memory/4556-242-0x00000000057B0000-0x0000000005842000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe
| MD5 | b22521fb370921bb5d69bf8deecce59e |
| SHA1 | 3d4486b206e8aaac14a3cf201c5ac152a2a7d4ea |
| SHA256 | b30d10e292f89f4d288839974f71f6b703d6d9a9ae698ea172a2b64364e77158 |
| SHA512 | 1f7d64ba5266314ed18f577f0984706c21f4f48e8cdb069130e4435c2bcdf219f8dd27e4d3bf3a373f4db4c01e30efe8d7f4d87f4d8cbbbeaf9c7043f685994c |
memory/4868-244-0x0000000000020000-0x00000000000E0000-memory.dmp
memory/4556-247-0x00000000058A0000-0x00000000058AA000-memory.dmp
memory/4556-267-0x0000000005CA0000-0x0000000005D16000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Tmp974E.tmp
| MD5 | 1420d30f964eac2c85b2ccfe968eebce |
| SHA1 | bdf9a6876578a3e38079c4f8cf5d6c79687ad750 |
| SHA256 | f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9 |
| SHA512 | 6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8 |
memory/5244-269-0x0000000000400000-0x000000000044E000-memory.dmp
memory/5244-268-0x0000000000400000-0x000000000044E000-memory.dmp
memory/4556-270-0x0000000006A20000-0x0000000006A3E000-memory.dmp
memory/4556-273-0x00000000072A0000-0x00000000078B8000-memory.dmp
memory/4556-274-0x0000000006DF0000-0x0000000006EFA000-memory.dmp
memory/4556-275-0x0000000006D30000-0x0000000006D42000-memory.dmp
memory/4556-276-0x0000000006D90000-0x0000000006DCC000-memory.dmp
memory/4556-277-0x0000000006F00000-0x0000000006F4C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe
| MD5 | 0099a99f5ffb3c3ae78af0084136fab3 |
| SHA1 | 0205a065728a9ec1133e8a372b1e3864df776e8c |
| SHA256 | 919ae827ff59fcbe3dbaea9e62855a4d27690818189f696cfb5916a88c823226 |
| SHA512 | 5ac4f3265c7dd7d172284fb28c94f8fc6428c27853e70989f4ec4208f9897be91720e8eee1906d8e843ab05798f3279a12492a32e8a118f5621ac5e1be2031b6 |
memory/2772-287-0x0000000000490000-0x000000000093D000-memory.dmp
memory/1688-288-0x00000000001B0000-0x0000000000799000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000228001\ISetup8.exe
| MD5 | d14f4b8b71b645f1f6b3ec2530d9c2d0 |
| SHA1 | c62d3a73ecff3337e59d1ecfcbfd3da77a8ca933 |
| SHA256 | 069bebac87e5c2bf6e4c4bfb52a8731e1a98867a3bf1214e56da9ee7f86a62ec |
| SHA512 | 979b3f4faadf1ef7cf97d9d1fac1518c5307e10ee52a2c74406282f95c1811b075b226029fc5ceb56e1104ed1d43c2db51ed2d9a37d9153a8a532b0bd8683457 |
C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe
| MD5 | 8510bcf5bc264c70180abe78298e4d5b |
| SHA1 | 2c3a2a85d129b0d750ed146d1d4e4d6274623e28 |
| SHA256 | 096220045877e456edfea1adcd5bf1efd332665ef073c6d1e9474c84ca5433f6 |
| SHA512 | 5ff0a47f9e14e22fc76d41910b2986605376605913173d8ad83d29d85eb79b679459e2723a6ad17bc3c3b8c9b359e2be7348ee1c21fa2e8ceb7cc9220515258d |
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1696768468-2170909707-4198977321-1000\76b53b3ec448f7ccdda2063b15d2bfc3_2ebf137a-1b71-487a-a697-945baa2a07f9
| MD5 | f8ecf0f6aa6d01c9d46384da17e82534 |
| SHA1 | 28c58f557df2404c57a27efc5195e8059a7b9d96 |
| SHA256 | 3ddf7d583425da6cd209b9239c0dcd9386c22e203c42210f3f09ce05fbb9fb8c |
| SHA512 | 18c7c5e8716227edf72f24c29c78c646fa4edd53365989173ee4e8e6c805ed9f1d96e597188794b2a272730bdb865b2b2dac88ed8eaea15d2f96d962b25e43dd |
memory/4868-349-0x000000001BB80000-0x000000001BBF6000-memory.dmp
memory/5804-350-0x0000000000BA0000-0x0000000000BF2000-memory.dmp
memory/4868-357-0x000000001BF30000-0x000000001BF4E000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
| MD5 | 47296628eb4bd90af9671d28eb603bc8 |
| SHA1 | 76a0b9b688a1123cc848709caa539bf11df1c7b9 |
| SHA256 | e2be014e5fab42f70900a6679f67afb27fe011fe76c0ca7bb7df3accffa32b0b |
| SHA512 | 65162a2831e4f0643d04256cd99a510b4510f4c49c712977da83288949103d9784e690c6a6d3a82a12cf7aca0e12a8852eabad65ea205a8ade6e9c3a37904da8 |
C:\Users\Admin\Desktop\Microsoft Edge.lnk
| MD5 | ae93d341ebb48c6eb45cb1e2ff71acb5 |
| SHA1 | 4dff2fed47d11482df32a51214c10183b02d9610 |
| SHA256 | fa39c29ed96ad08ddd012d81638c51bab174cc6c940dcf96f2790bdec624db53 |
| SHA512 | b37746a2cf05e14ae77d5ec92df7275585193b7f043b88726aa8bf16b193426f5371143d404480e03f0e6b5f874fc1d71489d966ce309cebf420f97a8675be29 |
C:\Users\Public\Desktop\Google Chrome.lnk
| MD5 | 182026b78ee7a71c66e5765979ee38cd |
| SHA1 | 73f8ee5fc6e251f01984c0ed36894001895bb207 |
| SHA256 | e4aa954247fe6f6a4a2b2ad65a7960bbb78d82ff11e6c3bcd6dccd3e77667e8d |
| SHA512 | 5072ec3e1004e8b4d612b1c64f19c6683402eb470333e31cc79ea3b116c6215dfc88eadb1d18e6a8b037fc82ae8093354eb0797a9743d2f8d4ca1d7fe99c11f8 |
C:\Users\Admin\Desktop\Microsoft Edge.lnk
| MD5 | fbb3e0a7ad273c13344e151cc5ff0985 |
| SHA1 | 3730d5d9edd9e1db1abcd3501e8438212e075734 |
| SHA256 | a813c7629f4b734fe106e5187634dd0e5d2a33df3c37ddceb6d44871f2624d3c |
| SHA512 | 31385ea8abee3ea815bca79c4d6fab78e76a43af52db0c49e6b1e5a3ec707a98f5f3c68ee65cfc367d60ca9228c049b2191571190fc454da092f7c71d15cab25 |
C:\Users\Public\Desktop\Google Chrome.lnk
| MD5 | df280e890eb8624036b4929bd4a6625e |
| SHA1 | e12e951034fa2cb1c04c20f4ce383fed50192a9d |
| SHA256 | 40f1fdf4aad7dcb4155ee799e64490b074055254393a9a919cfab75b14f8dfcc |
| SHA512 | fdc300cbccbdc325d5c2b0400c53adac60c46834510b38cf0260b7bd23d48f9f09a9d99cfe094392e417536aa7857f76ebe2e391de0d056b84688e9a8eb85694 |
C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exe
| MD5 | 586f7fecacd49adab650fae36e2db994 |
| SHA1 | 35d9fb512a8161ce867812633f0a43b042f9a5e6 |
| SHA256 | cf88d499c83da613ad5ccd8805822901bdc3a12eb9b15804aeff8c53dc05fc4e |
| SHA512 | a44a2c99d18509681505cf70a251baf2558030a8648d9c621acc72fafcb2f744e3ef664dfd0229baf7c78fb72e69f5d644c755ded4060dcafa7f711d70e94772 |
C:\Users\Admin\AppData\Local\Temp\1000229001\toolspub1.exe
| MD5 | 2c8f5e7a9e670c3850b2de0d2f3758b2 |
| SHA1 | 42409c886411ce73c1d6f07bbae47bf8f2db713c |
| SHA256 | bc113ed2bff68b7cf9dd805ec562bffc04fbadcf75a16df1ec6fcfa6b479f5ce |
| SHA512 | 1237d9fbc5cfd97e2377c56143a100daeeff8e71ffa90c4fa7227eab94b3edf841e8ca8b68a8ed8c18d9cc03457a4c246a98147ab317079650bcf88877211454 |
memory/5180-421-0x0000000000110000-0x000000000013E000-memory.dmp
memory/5348-424-0x0000000000400000-0x000000000063B000-memory.dmp
memory/5348-426-0x0000000000400000-0x000000000063B000-memory.dmp
memory/5256-431-0x0000000000400000-0x0000000002AF3000-memory.dmp
memory/4556-432-0x0000000007040000-0x00000000070A6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000231001\lie.exe
| MD5 | 24dd75b0a7bb9a0e0918ee0dd84a581a |
| SHA1 | de796b237488df3d26a99aa8a78098c010aeb2c9 |
| SHA256 | 878966291372a9633242af15570a8bbe31699b5e0b650e806af4742da1f6b35d |
| SHA512 | 53f951d795fbf760dd593619bb3f96fd604bc15adb4f637457d28fbd78ae3764afd4e9c9a755a6241431ad4664dd30e4a2df84e33fe59954f7c55da0e4038557 |
C:\Users\Admin\AppData\Local\Temp\u4eg.0.exe
| MD5 | c662be00aaacad366e2b23b11317edac |
| SHA1 | 29c2d6db08fc978e6fee67e5ea7e2fcadaddd847 |
| SHA256 | 8b6af6cb7481b58e76dde6969caf317273d72afed263fdb28f9c34a703c4acb1 |
| SHA512 | 501085db6ea486c72fe89dba05fa20e160cf521c3f34e88382290c87b1a8ca0b6bb529d84d817bf8f1375fd34840de120565a9f0693408967f5b05075606cdbb |
memory/3996-460-0x00000000000F0000-0x00000000005B6000-memory.dmp
C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll
| MD5 | f35b671fda2603ec30ace10946f11a90 |
| SHA1 | 059ad6b06559d4db581b1879e709f32f80850872 |
| SHA256 | 83e3df5bec15d5333935bea8b719a6d677e2fb3dc1cf9e18e7b82fd0438285c7 |
| SHA512 | b5fa27d08c64727cef7fdda5e68054a4359cd697df50d70d1d90da583195959a139066a6214531bbc5f20cd4f9bc1ca3e4244396547381291a6a1d2df9cf8705 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\History
| MD5 | c731833c719976e09aea854d6fbe06a0 |
| SHA1 | b69725c4a91543fc7e552c8e5f9e0a335f9d3a6f |
| SHA256 | 9accd52a77588ee6600b670396e21a89ae04f8b160c66d7874331dc82d4d87e4 |
| SHA512 | 62ea04800a8866e2371c96247784ee63b59fcf815a51369b2d89f52b84e068d8abc1995c65fdc7b13b6168dd542c27ad93e106c5804f6e851d3fa4fae775bbc6 |
memory/5348-479-0x0000000061E00000-0x0000000061EF3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe
| MD5 | fc81c3bd098b7bba5afa62dee37b4137 |
| SHA1 | 60f82337306a6f68da4a1a9c9cc06031285af754 |
| SHA256 | f34cfe3f25517c21d91f02ccce034087acf68316806f3e4b26f14e90a2627124 |
| SHA512 | 2bc3cc7b0a20c5c735ead8f8bc329ff4ab4ffb68a3f83f89c0e1642ae58157cfd62d0649f5070bac8ec7dbcae1c2f49ca6d4bd9992e0d0614f7f56dc1167b617 |
C:\Users\Admin\AppData\Local\Temp\u4eg.1.zip
| MD5 | 78d3ca6355c93c72b494bb6a498bf639 |
| SHA1 | 2fa4e5df74bfe75c207c881a1b0d3bc1c62c8b0e |
| SHA256 | a1dd547a63b256aa6a16871ed03f8b025226f7617e67b8817a08444df077b001 |
| SHA512 | 1b2df7bee2514aee7efd3579f5dd33c76b40606d07dba69a34c45747662fad61174db4931bca02b058830107959205e889fee74f8ccc9f6e03f9fd111761f4ea |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 392aebb7a453ca47bff0f534afab918d |
| SHA1 | af37bef0fbf6f93e1dd9ef8a0f224524f292cd36 |
| SHA256 | ba314296285075c88accce299e8582499450f14cb1d6595262991e50c69d60c8 |
| SHA512 | a49945d84ea686543b6be89f8a6415c755aa90ea57c3bd9ee18431f14ddded4c06c275faaa37911eba8fa071ed68e8bb1fbfeedc8e44dc18b2c9d30fbe247b6f |
C:\Users\Admin\AppData\Local\Temp\u4eg.2\run.exe
| MD5 | 9fb4770ced09aae3b437c1c6eb6d7334 |
| SHA1 | fe54b31b0db8665aa5b22bed147e8295afc88a03 |
| SHA256 | a05b592a971fe5011554013bcfe9a4aaf9cfc633bdd1fe3a8197f213d557b8d3 |
| SHA512 | 140fee6daf23fe8b7e441b3b4de83554af804f00ecedc421907a385ac79a63164bd9f28b4be061c2ea2262755d85e14d3a8e7dc910547837b664d78d93667256 |
C:\Users\Admin\AppData\Local\Temp\u4eg.2\relay.dll
| MD5 | 10d51becd0bbce0fab147ff9658c565e |
| SHA1 | 4689a18112ff876d3c066bc8c14a08fd6b7b7a4a |
| SHA256 | 7b2db9c88f60ed6dd24b1dec321a304564780fdb191a96ec35c051856128f1ed |
| SHA512 | 29faf493bb28f7842c905adc5312f31741effb09f841059b53d73b22aea2c4d41d73db10bbf37703d6aeb936ffacbc756a3cc85ba3c0b6a6863ef4d27fefcd29 |
C:\Users\Admin\AppData\Local\Temp\u4eg.2\bunch.dat
| MD5 | 1e8237d3028ab52821d69099e0954f97 |
| SHA1 | 30a6ae353adda0c471c6ed5b7a2458b07185abf2 |
| SHA256 | 9387488f9d338e211be2cb45109bf590a5070180bc0d4a703f70d3cb3c4e1742 |
| SHA512 | a6406d7c18694ee014d59df581f1f76e980b68e3361ae680dc979606a423eba48d35e37f143154dd97fe5f066baf0ea51a2e9f8bc822d593e1cba70ead6559f3 |
memory/2772-632-0x0000000000490000-0x000000000093D000-memory.dmp
memory/5644-633-0x000000006BF90000-0x000000006C10D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\u4eg.2\UIxMarketPlugin.dll
| MD5 | d1ba9412e78bfc98074c5d724a1a87d6 |
| SHA1 | 0572f98d78fb0b366b5a086c2a74cc68b771d368 |
| SHA256 | cbcea8f28d8916219d1e8b0a8ca2db17e338eb812431bc4ad0cb36c06fd67f15 |
| SHA512 | 8765de36d3824b12c0a4478c31b985878d4811bd0e5b6fba4ea07f8c76340bd66a2da3490d4871b95d9a12f96efc25507dfd87f431de211664dbe9a9c914af6f |
memory/5644-637-0x00007FFB125C0000-0x00007FFB127C9000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\u4eg.2\whale.dbf
| MD5 | a723bf46048e0bfb15b8d77d7a648c3e |
| SHA1 | 8952d3c34e9341e4425571e10f22b782695bb915 |
| SHA256 | b440170853bdb43b66497f701aee2901080326975140b095a1669cb9dee13422 |
| SHA512 | ca8ea2f7f3c7af21b5673a0a3f2611b6580a7ed02efa2cfd8b343eb644ff09682bde43b25ef7aab68530d5ce31dcbd252c382dd336ecb610d4c4ebde78347273 |
memory/4556-643-0x00000000079C0000-0x0000000007A10000-memory.dmp
memory/1688-644-0x00000000001B0000-0x0000000000799000-memory.dmp
memory/5704-645-0x0000000000400000-0x0000000002B15000-memory.dmp
memory/2608-654-0x000002E854ED0000-0x000002E854EF2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hj1wl5eb.pv3.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
C:\Users\Admin\AppData\Local\Temp\u4eg.3.exe
| MD5 | 397926927bca55be4a77839b1c44de6e |
| SHA1 | e10f3434ef3021c399dbba047832f02b3c898dbd |
| SHA256 | 4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7 |
| SHA512 | cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954 |
C:\ProgramData\mozglue.dll
| MD5 | c8fd9be83bc728cc04beffafc2907fe9 |
| SHA1 | 95ab9f701e0024cedfbd312bcfe4e726744c4f2e |
| SHA256 | ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a |
| SHA512 | fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040 |
memory/5644-682-0x000000006BF90000-0x000000006C10D000-memory.dmp
memory/5704-688-0x0000000000400000-0x0000000002B15000-memory.dmp
C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll
| MD5 | 154c3f1334dd435f562672f2664fea6b |
| SHA1 | 51dd25e2ba98b8546de163b8f26e2972a90c2c79 |
| SHA256 | 5f431129f97f3d56929f1e5584819e091bd6c854d7e18503074737fc6d79e33f |
| SHA512 | 1bca69bbcdb7ecd418769e9d4befc458f9f8e3cee81feb7316bb61e189e2904f4431e4cc7d291e179a5dec441b959d428d8e433f579036f763bbad6460222841 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | eb858201a2c5f369b9b963640809eb0b |
| SHA1 | 41b1dc523a100e4a03896da0258a4f70dc92d0c7 |
| SHA256 | f6079135b98a45ec4df978e90158aeece744512a090603804a89cfc77dfc3baf |
| SHA512 | 09f47b39fcd0ec92ed1f301983a05c166d861b962bc53f0c4f601eb7c09d42fd312bd746580f5b88d8df96e872d0a8fb08f6cec4e597558b3978d4a06c696e93 |
memory/5668-711-0x0000000002200000-0x0000000002251000-memory.dmp
memory/5668-715-0x0000000000400000-0x00000000005C4000-memory.dmp
memory/2772-713-0x0000000000490000-0x000000000093D000-memory.dmp
memory/3996-714-0x00000000000F0000-0x00000000005B6000-memory.dmp
memory/5948-718-0x00007FFB125C0000-0x00007FFB127C9000-memory.dmp
memory/5828-716-0x0000000000400000-0x0000000002AF0000-memory.dmp
memory/5164-717-0x0000000000400000-0x0000000002ED3000-memory.dmp
memory/2440-720-0x0000000002C80000-0x0000000002CB6000-memory.dmp
memory/2440-721-0x0000000005420000-0x0000000005A4A000-memory.dmp
memory/2440-723-0x0000000005B70000-0x0000000005BD6000-memory.dmp
memory/2440-722-0x0000000005AD0000-0x0000000005AF2000-memory.dmp
memory/2440-732-0x0000000005C50000-0x0000000005FA7000-memory.dmp
memory/2440-733-0x0000000006140000-0x000000000615E000-memory.dmp
memory/2440-736-0x000000006C230000-0x000000006C587000-memory.dmp
memory/2440-735-0x000000006FE70000-0x000000006FEBC000-memory.dmp
memory/2440-734-0x00000000073A0000-0x00000000073D4000-memory.dmp
memory/4556-746-0x0000000008060000-0x0000000008222000-memory.dmp
memory/2440-747-0x00000000073E0000-0x0000000007484000-memory.dmp
memory/2440-745-0x0000000007360000-0x000000000737E000-memory.dmp
memory/4556-748-0x0000000008DB0000-0x00000000092DC000-memory.dmp
memory/2440-750-0x00000000074F0000-0x000000000750A000-memory.dmp
memory/2440-749-0x0000000007B30000-0x00000000081AA000-memory.dmp
memory/2440-751-0x0000000007570000-0x000000000757A000-memory.dmp
memory/2440-752-0x0000000007780000-0x0000000007816000-memory.dmp
memory/2608-755-0x000002E854F40000-0x000002E854F4A000-memory.dmp
memory/2440-754-0x00000000076F0000-0x0000000007701000-memory.dmp
memory/2608-753-0x000002E854F60000-0x000002E854F72000-memory.dmp
memory/2440-761-0x0000000007720000-0x000000000772E000-memory.dmp
memory/2440-762-0x0000000007730000-0x0000000007745000-memory.dmp
memory/2440-763-0x0000000007820000-0x000000000783A000-memory.dmp
memory/2440-765-0x0000000007770000-0x0000000007778000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt
| MD5 | e103f8e38392ed57b61f7cf9987dab78 |
| SHA1 | 85fe889dac27e81c856960cc2cf74724dc3f8826 |
| SHA256 | 340c5932e4d76f069f4895205ca5f6b0ab62570991cf95b448b92eb068370d41 |
| SHA512 | 05ae6c3d8c08a705f3f37810caa2f85bbea6d7128402e6d4576fa0cf72d1a76d69d7feacd7b61851f3006fc4fa04b4fc530c2ccc2097d7bfe454eb1f7d117dd1 |
memory/5668-785-0x0000000002200000-0x0000000002251000-memory.dmp
memory/1688-790-0x00000000001B0000-0x0000000000799000-memory.dmp
memory/1688-788-0x00000000001B0000-0x0000000000799000-memory.dmp
memory/3996-789-0x00000000000F0000-0x00000000005B6000-memory.dmp
memory/5828-793-0x0000000061E00000-0x0000000061EF3000-memory.dmp
C:\ProgramData\CAFBGDHC
| MD5 | 43a9e929067784c1aed076f3ef079e8f |
| SHA1 | ca70c6fe08bff62fe9158ade07b40f250c7cb6d1 |
| SHA256 | 62ea6e46a4ff16ef8803b8169a5536278baddc9e058474629d57b1d754ff2349 |
| SHA512 | 5eff33797f696df19a104b7bfaf3d2f51bd629cdca11e5544017ebc7af0df86b484fe1f53f38e0c6aed52eb4f099fcca353dc4726074fe69c423b948012ed08e |
memory/3604-820-0x0000000000400000-0x00000000008AD000-memory.dmp
memory/5828-819-0x0000000000400000-0x0000000002AF0000-memory.dmp
C:\ProgramData\BGDHDAFI
| MD5 | 87210e9e528a4ddb09c6b671937c79c6 |
| SHA1 | 3c75314714619f5b55e25769e0985d497f0062f2 |
| SHA256 | eeb23424586eb7bc62b51b19f1719c6571b71b167f4d63f25984b7f5c5436db1 |
| SHA512 | f8cb8098dc8d478854cddddeac3396bc7b602c4d0449491ecacea7b9106672f36b55b377c724dc6881bee407c6b6c5c3352495ed4b852dd578aa3643a43e37c0 |
memory/3996-831-0x00000000000F0000-0x00000000005B6000-memory.dmp
memory/5164-830-0x0000000000400000-0x0000000002ED3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt
| MD5 | 97902d229f270491f5958580ed634871 |
| SHA1 | 9e9c72719d056ef10cea47fe8cb52eccb91b633a |
| SHA256 | 661be657b45ae58c39cec70fa7f05e76a7bcfcd848d340cda3e41c860e41846d |
| SHA512 | 2e4f3d17cc002819869fdbc016c53e1870d0536c25428294a2c6a2727859cbfe96b8015cff3b026660fbb8b038c3f885e727f6bf09c4e6a55e27458aaeb21627 |
memory/3604-846-0x0000000000400000-0x00000000008AD000-memory.dmp
memory/2772-847-0x0000000000490000-0x000000000093D000-memory.dmp
memory/4192-849-0x0000022FCC300000-0x0000022FCFBF8000-memory.dmp
memory/4192-850-0x0000022FEA450000-0x0000022FEA560000-memory.dmp
memory/4192-852-0x0000022FD1900000-0x0000022FD190C000-memory.dmp
memory/4192-853-0x0000022FD18E0000-0x0000022FD18F4000-memory.dmp
memory/4192-851-0x0000022FD0090000-0x0000022FD00A0000-memory.dmp
memory/4192-854-0x0000022FEA140000-0x0000022FEA164000-memory.dmp
memory/4192-858-0x0000022FEA170000-0x0000022FEA17A000-memory.dmp
memory/4192-859-0x0000022FEA6B0000-0x0000022FEA762000-memory.dmp
memory/4192-862-0x0000022FEA7C0000-0x0000022FEA7EA000-memory.dmp
memory/4192-861-0x0000022FEA760000-0x0000022FEA7C2000-memory.dmp
memory/4192-860-0x0000022FEA1B0000-0x0000022FEA22A000-memory.dmp
memory/4192-863-0x0000022FD18C0000-0x0000022FD18CA000-memory.dmp
memory/4192-867-0x0000022FEA8C0000-0x0000022FEABC0000-memory.dmp
memory/4192-869-0x0000022FEF320000-0x0000022FEF328000-memory.dmp
memory/4192-871-0x0000022FEEC70000-0x0000022FEEC7E000-memory.dmp
memory/4192-870-0x0000022FEECA0000-0x0000022FEECD8000-memory.dmp
memory/4192-873-0x0000022FEF340000-0x0000022FEF362000-memory.dmp
memory/4192-872-0x0000022FEF5C0000-0x0000022FEF5CA000-memory.dmp
memory/4192-874-0x0000022FEFB00000-0x0000022FF0028000-memory.dmp
memory/4192-877-0x0000022FEF3B0000-0x0000022FEF400000-memory.dmp
memory/4192-878-0x0000022FEF360000-0x0000022FEF36C000-memory.dmp
C:\ProgramData\nss3.dll
| MD5 | 1cc453cdf74f31e4d913ff9c10acdde2 |
| SHA1 | 6e85eae544d6e965f15fa5c39700fa7202f3aafe |
| SHA256 | ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5 |
| SHA512 | dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571 |
memory/5616-911-0x0000000000500000-0x00000000005C6000-memory.dmp
memory/1736-922-0x0000000005A80000-0x0000000005DD7000-memory.dmp
memory/1736-923-0x00000000064B0000-0x00000000064FC000-memory.dmp
memory/1736-932-0x0000000070620000-0x000000007066C000-memory.dmp
C:\ProgramData\Are.docx
| MD5 | a33e5b189842c5867f46566bdbf7a095 |
| SHA1 | e1c06359f6a76da90d19e8fd95e79c832edb3196 |
| SHA256 | 5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454 |
| SHA512 | f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b |