Malware Analysis Report

2024-09-11 08:43

Sample ID 240429-felf1aba8t
Target 0221d2c97ba972cec231a6d5ed1a9cae509d1a10ef5d148b43cb778e4267af01
SHA256 0221d2c97ba972cec231a6d5ed1a9cae509d1a10ef5d148b43cb778e4267af01
Tags
amadey evasion trojan glupteba lumma redline risepro sectoprat stealc xworm zgrat @cloudytteam cheat test1234 discovery dropper infostealer loader persistence rat rootkit spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0221d2c97ba972cec231a6d5ed1a9cae509d1a10ef5d148b43cb778e4267af01

Threat Level: Known bad

The file 0221d2c97ba972cec231a6d5ed1a9cae509d1a10ef5d148b43cb778e4267af01 was found to be: Known bad.

Malicious Activity Summary

amadey evasion trojan glupteba lumma redline risepro sectoprat stealc xworm zgrat @cloudytteam cheat test1234 discovery dropper infostealer loader persistence rat rootkit spyware stealer

Glupteba payload

Detect Xworm Payload

Lumma Stealer

SectopRAT payload

RisePro

RedLine payload

Windows security bypass

Amadey

RedLine

SectopRAT

Stealc

Glupteba

Xworm

Detect ZGRat V1

ZGRat

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Blocklisted process makes network request

Downloads MZ/PE file

Modifies Windows Firewall

Loads dropped DLL

Checks BIOS information in registry

Executes dropped EXE

Identifies Wine through registry keys

Reads user/profile data of web browsers

Reads WinSCP keys stored on the system

Windows security modification

Reads local data of messenger clients

Reads data files stored by FTP clients

Manipulates WinMonFS driver.

Accesses cryptocurrency files/wallets, possible credential harvesting

Looks up external IP address via web service

Adds Run key to start application

Checks installed software on the system

AutoIT Executable

Drops file in System32 directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Launches sc.exe

Checks for VirtualBox DLLs, possible anti-VM trick

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Program crash

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of FindShellTrayWindow

Enumerates system info in registry

Creates scheduled task(s)

Checks SCSI registry key(s)

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Modifies data under HKEY_USERS

Modifies system certificate store

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Checks processor information in registry

Suspicious behavior: AddClipboardFormatListener

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Scheduled Task/Job
T1053
Persistence
TA0003
Create or Modify System Process
T1543
Windows Service
T1543.003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Scheduled Task/Job
T1053
Privilege Escalation
TA0004
Create or Modify System Process
T1543
Windows Service
T1543.003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Scheduled Task/Job
T1053
Defense Evasion
TA0005
Virtualization/Sandbox Evasion
T1497
Impair Defenses
T1562
Disable or Modify Tools
T1562.001
Disable or Modify System Firewall
T1562.004
Modify Registry
T1112
Subvert Trust Controls
T1553
Install Root Certificate
T1553.004
Credential Access
TA0006
Unsecured Credentials
T1552
Credentials In Files
T1552.001
Credentials in Registry
T1552.002
Discovery
TA0007
Query Registry
T1012
Virtualization/Sandbox Evasion
T1497
System Information Discovery
T1082
Peripheral Device Discovery
T1120
Lateral Movement
TA0008
Collection
TA0009
Data from Local System
T1005
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-04-29 04:47

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-29 04:47

Reported

2024-04-29 04:52

Platform

win7-20240419-en

Max time kernel

293s

Max time network

302s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0221d2c97ba972cec231a6d5ed1a9cae509d1a10ef5d148b43cb778e4267af01.exe"

Signatures

Amadey

trojan amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0221d2c97ba972cec231a6d5ed1a9cae509d1a10ef5d148b43cb778e4267af01.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0221d2c97ba972cec231a6d5ed1a9cae509d1a10ef5d148b43cb778e4267af01.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0221d2c97ba972cec231a6d5ed1a9cae509d1a10ef5d148b43cb778e4267af01.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0221d2c97ba972cec231a6d5ed1a9cae509d1a10ef5d148b43cb778e4267af01.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0221d2c97ba972cec231a6d5ed1a9cae509d1a10ef5d148b43cb778e4267af01.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0221d2c97ba972cec231a6d5ed1a9cae509d1a10ef5d148b43cb778e4267af01.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorta.job C:\Users\Admin\AppData\Local\Temp\0221d2c97ba972cec231a6d5ed1a9cae509d1a10ef5d148b43cb778e4267af01.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0221d2c97ba972cec231a6d5ed1a9cae509d1a10ef5d148b43cb778e4267af01.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0221d2c97ba972cec231a6d5ed1a9cae509d1a10ef5d148b43cb778e4267af01.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1648 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\0221d2c97ba972cec231a6d5ed1a9cae509d1a10ef5d148b43cb778e4267af01.exe C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
PID 1648 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\0221d2c97ba972cec231a6d5ed1a9cae509d1a10ef5d148b43cb778e4267af01.exe C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
PID 1648 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\0221d2c97ba972cec231a6d5ed1a9cae509d1a10ef5d148b43cb778e4267af01.exe C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
PID 1648 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\0221d2c97ba972cec231a6d5ed1a9cae509d1a10ef5d148b43cb778e4267af01.exe C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0221d2c97ba972cec231a6d5ed1a9cae509d1a10ef5d148b43cb778e4267af01.exe

"C:\Users\Admin\AppData\Local\Temp\0221d2c97ba972cec231a6d5ed1a9cae509d1a10ef5d148b43cb778e4267af01.exe"

C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe

"C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe"

Network

Country Destination Domain Proto
RU 193.233.132.139:80 tcp
RU 193.233.132.139:80 tcp
RU 193.233.132.139:80 tcp
RU 193.233.132.139:80 tcp
RU 193.233.132.139:80 tcp
RU 193.233.132.139:80 tcp

Files

memory/1648-0-0x0000000000200000-0x00000000006CD000-memory.dmp

memory/1648-1-0x0000000076F70000-0x0000000076F72000-memory.dmp

memory/1648-5-0x00000000028E0000-0x00000000028E1000-memory.dmp

memory/1648-4-0x0000000002570000-0x0000000002571000-memory.dmp

memory/1648-3-0x00000000026E0000-0x00000000026E1000-memory.dmp

memory/1648-2-0x00000000025C0000-0x00000000025C2000-memory.dmp

memory/1648-8-0x0000000002550000-0x0000000002551000-memory.dmp

memory/1648-7-0x00000000023E0000-0x00000000023E1000-memory.dmp

memory/1648-10-0x0000000002890000-0x0000000002891000-memory.dmp

memory/1648-9-0x0000000002560000-0x0000000002561000-memory.dmp

memory/1648-6-0x00000000021E0000-0x00000000021E1000-memory.dmp

memory/1648-11-0x00000000023D0000-0x00000000023D1000-memory.dmp

memory/1648-12-0x0000000002430000-0x0000000002431000-memory.dmp

memory/1648-13-0x0000000002440000-0x0000000002441000-memory.dmp

memory/1648-14-0x00000000028F0000-0x00000000028F1000-memory.dmp

memory/1648-16-0x0000000002230000-0x0000000002231000-memory.dmp

memory/1648-17-0x0000000002B10000-0x0000000002B11000-memory.dmp

\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe

MD5 31e45caea6d338f180c2ef2dbf17aa6e
SHA1 e141b38e3bb7a3fe62a41c16ffb319d082fda78e
SHA256 0221d2c97ba972cec231a6d5ed1a9cae509d1a10ef5d148b43cb778e4267af01
SHA512 446793aa76caf5a0bfadf952c369b60a765f44cc1c3813828e2c6a8859646740a293ad2e993a7dbb4ccebcf65123b284535666110a596e83efb1f15fc734a5f2

memory/1648-25-0x0000000007340000-0x000000000780D000-memory.dmp

memory/1648-28-0x0000000000200000-0x00000000006CD000-memory.dmp

memory/2820-29-0x0000000000DD0000-0x000000000129D000-memory.dmp

memory/2820-41-0x0000000000BE0000-0x0000000000BE1000-memory.dmp

memory/2820-40-0x0000000000B80000-0x0000000000B81000-memory.dmp

memory/2820-39-0x00000000029A0000-0x00000000029A1000-memory.dmp

memory/2820-38-0x0000000000C10000-0x0000000000C11000-memory.dmp

memory/2820-37-0x0000000000D70000-0x0000000000D71000-memory.dmp

memory/2820-36-0x0000000000C00000-0x0000000000C01000-memory.dmp

memory/2820-35-0x0000000000B90000-0x0000000000B91000-memory.dmp

memory/2820-34-0x0000000000940000-0x0000000000941000-memory.dmp

memory/2820-33-0x00000000029B0000-0x00000000029B1000-memory.dmp

memory/2820-32-0x0000000000D60000-0x0000000000D61000-memory.dmp

memory/2820-31-0x00000000026F0000-0x00000000026F1000-memory.dmp

memory/2820-30-0x0000000000D80000-0x0000000000D81000-memory.dmp

memory/2820-45-0x0000000002AD0000-0x0000000002AD1000-memory.dmp

memory/2820-44-0x0000000002AC0000-0x0000000002AC1000-memory.dmp

memory/2820-43-0x0000000000BF0000-0x0000000000BF1000-memory.dmp

memory/2820-46-0x0000000000DD0000-0x000000000129D000-memory.dmp

memory/2820-47-0x0000000000DD0000-0x000000000129D000-memory.dmp

memory/2820-48-0x0000000000DD0000-0x000000000129D000-memory.dmp

memory/2820-49-0x0000000000DD0000-0x000000000129D000-memory.dmp

memory/2820-50-0x0000000000DD0000-0x000000000129D000-memory.dmp

memory/2820-51-0x0000000000DD0000-0x000000000129D000-memory.dmp

memory/2820-52-0x0000000000DD0000-0x000000000129D000-memory.dmp

memory/2820-53-0x0000000000DD0000-0x000000000129D000-memory.dmp

memory/2820-54-0x0000000000DD0000-0x000000000129D000-memory.dmp

memory/2820-55-0x0000000000DD0000-0x000000000129D000-memory.dmp

memory/2820-56-0x0000000000DD0000-0x000000000129D000-memory.dmp

memory/2820-57-0x0000000000DD0000-0x000000000129D000-memory.dmp

memory/2820-58-0x0000000000DD0000-0x000000000129D000-memory.dmp

memory/2820-59-0x0000000000DD0000-0x000000000129D000-memory.dmp

memory/2820-60-0x0000000000DD0000-0x000000000129D000-memory.dmp

memory/2820-61-0x0000000000DD0000-0x000000000129D000-memory.dmp

memory/2820-62-0x0000000000DD0000-0x000000000129D000-memory.dmp

memory/2820-63-0x0000000000DD0000-0x000000000129D000-memory.dmp

memory/2820-64-0x0000000000DD0000-0x000000000129D000-memory.dmp

memory/2820-65-0x0000000000DD0000-0x000000000129D000-memory.dmp

memory/2820-66-0x0000000000DD0000-0x000000000129D000-memory.dmp

memory/2820-67-0x0000000000DD0000-0x000000000129D000-memory.dmp

memory/2820-68-0x0000000000DD0000-0x000000000129D000-memory.dmp

memory/2820-69-0x0000000000DD0000-0x000000000129D000-memory.dmp

memory/2820-70-0x0000000000DD0000-0x000000000129D000-memory.dmp

memory/2820-71-0x0000000000DD0000-0x000000000129D000-memory.dmp

memory/2820-72-0x0000000000DD0000-0x000000000129D000-memory.dmp

memory/2820-73-0x0000000000DD0000-0x000000000129D000-memory.dmp

memory/2820-74-0x0000000000DD0000-0x000000000129D000-memory.dmp

memory/2820-75-0x0000000000DD0000-0x000000000129D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-29 04:47

Reported

2024-04-29 04:52

Platform

win10-20240404-en

Max time kernel

299s

Max time network

299s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0221d2c97ba972cec231a6d5ed1a9cae509d1a10ef5d148b43cb778e4267af01.exe"

Signatures

Amadey

trojan amadey

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Lumma Stealer

stealer lumma

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RisePro

stealer risepro

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A

Stealc

stealer stealc

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\4767d2e713f2021e8fe856e3ea638b58.exe = "0" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A

Xworm

trojan rat xworm

ZGRat

rat zgrat

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0221d2c97ba972cec231a6d5ed1a9cae509d1a10ef5d148b43cb778e4267af01.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\1000017002\ae0782aebe.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1000015001\amert.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1000015001\amert.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\1000017002\ae0782aebe.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0221d2c97ba972cec231a6d5ed1a9cae509d1a10ef5d148b43cb778e4267af01.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0221d2c97ba972cec231a6d5ed1a9cae509d1a10ef5d148b43cb778e4267af01.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1000015001\amert.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\1000017002\ae0782aebe.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000015001\amert.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\240d7ab3b8.exe N/A
N/A N/A C:\Users\Admin\1000017002\ae0782aebe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000228001\ISetup8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000229001\toolspub1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000238001\file300un.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000239001\mstc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000246001\lie.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u4fg.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u4fg.2\run.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u4fg.3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Wine C:\Users\Admin\1000017002\ae0782aebe.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0221d2c97ba972cec231a6d5ed1a9cae509d1a10ef5d148b43cb778e4267af01.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1000015001\amert.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u4fg.2\run.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u4fg.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u4fg.0.exe N/A

Reads WinSCP keys stored on the system

spyware stealer

Reads data files stored by FTP clients

spyware stealer

Reads local data of messenger clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\4767d2e713f2021e8fe856e3ea638b58.exe = "0" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Windows\CurrentVersion\Run\240d7ab3b8.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000016001\\240d7ab3b8.exe" C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Windows\CurrentVersion\Run\ae0782aebe.exe = "C:\\Users\\Admin\\1000017002\\ae0782aebe.exe" C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" C:\Users\Admin\AppData\Local\Temp\1000239001\mstc.exe N/A

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0221d2c97ba972cec231a6d5ed1a9cae509d1a10ef5d148b43cb778e4267af01.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000015001\amert.exe N/A
N/A N/A C:\Users\Admin\1000017002\ae0782aebe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1320 set thread context of 4068 N/A C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4840 set thread context of 5116 N/A C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5300 set thread context of 5340 N/A C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5992 set thread context of 6072 N/A C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2188 set thread context of 5840 N/A C:\Users\Admin\AppData\Local\Temp\1000238001\file300un.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 920 set thread context of 5516 N/A C:\Users\Admin\AppData\Local\Temp\u4fg.2\run.exe C:\Windows\SysWOW64\cmd.exe
PID 5516 set thread context of 5812 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\chrosha.job C:\Users\Admin\AppData\Local\Temp\1000015001\amert.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File created C:\Windows\Tasks\explorta.job C:\Users\Admin\AppData\Local\Temp\0221d2c97ba972cec231a6d5ed1a9cae509d1a10ef5d148b43cb778e4267af01.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\u4fg.3.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\u4fg.3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\1000229001\toolspub1.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\1000229001\toolspub1.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\1000229001\toolspub1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\u4fg.3.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\u4fg.0.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\u4fg.0.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\System32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-1502 = "Turkey Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1972 = "Belarus Standard Time" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-221 = "Alaskan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2042 = "Eastern Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1931 = "Russia TZ 11 Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-2371 = "Easter Island Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-2341 = "Haiti Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1911 = "Russia TZ 10 Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-631 = "Tokyo Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-105 = "Central Brazilian Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-2751 = "Tomsk Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-2792 = "Novosibirsk Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-2451 = "Saint Pierre Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-442 = "Arabian Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-771 = "Montevideo Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-542 = "Myanmar Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2791 = "Novosibirsk Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2751 = "Tomsk Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-352 = "FLE Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1662 = "Bahia Standard Time" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2001 = "Cabo Verde Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-791 = "SA Western Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-162 = "Central Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-2061 = "North Korea Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1892 = "Russia TZ 3 Standard Time" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\System\CurrentControlSet C:\Windows\system32\netsh.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-2391 = "Aleutian Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2391 = "Aleutian Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000239001\mstc.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0221d2c97ba972cec231a6d5ed1a9cae509d1a10ef5d148b43cb778e4267af01.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0221d2c97ba972cec231a6d5ed1a9cae509d1a10ef5d148b43cb778e4267af01.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000015001\amert.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000015001\amert.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Users\Admin\1000017002\ae0782aebe.exe N/A
N/A N/A C:\Users\Admin\1000017002\ae0782aebe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000246001\lie.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000246001\lie.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\u4fg.2\run.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\240d7ab3b8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\240d7ab3b8.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\240d7ab3b8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\240d7ab3b8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\240d7ab3b8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\240d7ab3b8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\240d7ab3b8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\240d7ab3b8.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\240d7ab3b8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\240d7ab3b8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\240d7ab3b8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\240d7ab3b8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\240d7ab3b8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\240d7ab3b8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\240d7ab3b8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\240d7ab3b8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\240d7ab3b8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\240d7ab3b8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\240d7ab3b8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\240d7ab3b8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\240d7ab3b8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\240d7ab3b8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\240d7ab3b8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\240d7ab3b8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\240d7ab3b8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\240d7ab3b8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\240d7ab3b8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\240d7ab3b8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\240d7ab3b8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\240d7ab3b8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\240d7ab3b8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\240d7ab3b8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\240d7ab3b8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\240d7ab3b8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\240d7ab3b8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\240d7ab3b8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u4fg.3.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\240d7ab3b8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\240d7ab3b8.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\240d7ab3b8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\240d7ab3b8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\240d7ab3b8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\240d7ab3b8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\240d7ab3b8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\240d7ab3b8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\240d7ab3b8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\240d7ab3b8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\240d7ab3b8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\240d7ab3b8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\240d7ab3b8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\240d7ab3b8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\240d7ab3b8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\240d7ab3b8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\240d7ab3b8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\240d7ab3b8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\240d7ab3b8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\240d7ab3b8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\240d7ab3b8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\240d7ab3b8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\240d7ab3b8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\240d7ab3b8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\240d7ab3b8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\240d7ab3b8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\240d7ab3b8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\240d7ab3b8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\240d7ab3b8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\240d7ab3b8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\240d7ab3b8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\240d7ab3b8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\240d7ab3b8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\240d7ab3b8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\240d7ab3b8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\240d7ab3b8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u4fg.3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u4fg.3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u4fg.3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u4fg.3.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000239001\mstc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u4fg.2\run.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u4fg.2\run.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3336 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\0221d2c97ba972cec231a6d5ed1a9cae509d1a10ef5d148b43cb778e4267af01.exe C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
PID 3336 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\0221d2c97ba972cec231a6d5ed1a9cae509d1a10ef5d148b43cb778e4267af01.exe C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
PID 3336 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\0221d2c97ba972cec231a6d5ed1a9cae509d1a10ef5d148b43cb778e4267af01.exe C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
PID 2720 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
PID 2720 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
PID 2720 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
PID 2720 wrote to memory of 3952 N/A C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe C:\Users\Admin\AppData\Local\Temp\1000015001\amert.exe
PID 2720 wrote to memory of 3952 N/A C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe C:\Users\Admin\AppData\Local\Temp\1000015001\amert.exe
PID 2720 wrote to memory of 3952 N/A C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe C:\Users\Admin\AppData\Local\Temp\1000015001\amert.exe
PID 2720 wrote to memory of 3088 N/A C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe C:\Users\Admin\AppData\Local\Temp\1000016001\240d7ab3b8.exe
PID 2720 wrote to memory of 3088 N/A C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe C:\Users\Admin\AppData\Local\Temp\1000016001\240d7ab3b8.exe
PID 2720 wrote to memory of 3088 N/A C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe C:\Users\Admin\AppData\Local\Temp\1000016001\240d7ab3b8.exe
PID 3088 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\1000016001\240d7ab3b8.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3088 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\1000016001\240d7ab3b8.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2192 wrote to memory of 996 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2192 wrote to memory of 996 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2192 wrote to memory of 3532 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2192 wrote to memory of 3532 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2192 wrote to memory of 3532 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2192 wrote to memory of 3532 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2192 wrote to memory of 3532 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2192 wrote to memory of 3532 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2192 wrote to memory of 3532 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2192 wrote to memory of 3532 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2192 wrote to memory of 3532 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2192 wrote to memory of 3532 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2192 wrote to memory of 3532 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2192 wrote to memory of 3532 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2192 wrote to memory of 3532 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2192 wrote to memory of 3532 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2192 wrote to memory of 3532 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2192 wrote to memory of 3532 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2192 wrote to memory of 3532 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2192 wrote to memory of 3532 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2192 wrote to memory of 3532 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2192 wrote to memory of 3532 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2192 wrote to memory of 3532 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2192 wrote to memory of 3532 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2192 wrote to memory of 3532 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2192 wrote to memory of 3532 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2192 wrote to memory of 3532 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2192 wrote to memory of 3532 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2192 wrote to memory of 3532 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2192 wrote to memory of 3532 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2192 wrote to memory of 3532 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2192 wrote to memory of 3532 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2192 wrote to memory of 3532 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2192 wrote to memory of 3532 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2192 wrote to memory of 3532 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2192 wrote to memory of 3532 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2192 wrote to memory of 3532 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2192 wrote to memory of 3532 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2192 wrote to memory of 3532 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2192 wrote to memory of 3532 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2192 wrote to memory of 4492 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2192 wrote to memory of 4492 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2192 wrote to memory of 824 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2192 wrote to memory of 824 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2192 wrote to memory of 824 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2192 wrote to memory of 824 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2192 wrote to memory of 824 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2192 wrote to memory of 824 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2192 wrote to memory of 824 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2192 wrote to memory of 824 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\0221d2c97ba972cec231a6d5ed1a9cae509d1a10ef5d148b43cb778e4267af01.exe

"C:\Users\Admin\AppData\Local\Temp\0221d2c97ba972cec231a6d5ed1a9cae509d1a10ef5d148b43cb778e4267af01.exe"

C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe

"C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe"

C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe

"C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe"

C:\Users\Admin\AppData\Local\Temp\1000015001\amert.exe

"C:\Users\Admin\AppData\Local\Temp\1000015001\amert.exe"

C:\Users\Admin\AppData\Local\Temp\1000016001\240d7ab3b8.exe

"C:\Users\Admin\AppData\Local\Temp\1000016001\240d7ab3b8.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ff9f08d9758,0x7ff9f08d9768,0x7ff9f08d9778

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1552 --field-trial-handle=1816,i,15735356371175403051,4470141846077302057,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1776 --field-trial-handle=1816,i,15735356371175403051,4470141846077302057,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2100 --field-trial-handle=1816,i,15735356371175403051,4470141846077302057,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2852 --field-trial-handle=1816,i,15735356371175403051,4470141846077302057,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2860 --field-trial-handle=1816,i,15735356371175403051,4470141846077302057,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4448 --field-trial-handle=1816,i,15735356371175403051,4470141846077302057,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4652 --field-trial-handle=1816,i,15735356371175403051,4470141846077302057,131072 /prefetch:1

C:\Users\Admin\1000017002\ae0782aebe.exe

"C:\Users\Admin\1000017002\ae0782aebe.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4764 --field-trial-handle=1816,i,15735356371175403051,4470141846077302057,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4820 --field-trial-handle=1816,i,15735356371175403051,4470141846077302057,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5128 --field-trial-handle=1816,i,15735356371175403051,4470141846077302057,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5188 --field-trial-handle=1816,i,15735356371175403051,4470141846077302057,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5128 --field-trial-handle=1816,i,15735356371175403051,4470141846077302057,131072 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe

C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe

C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe

C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe

C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe

"C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1320 -s 812

C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe

"C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4840 -s 512

C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe

"C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe"

C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe

"C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe"

C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe

"C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5300 -s 512

C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe

"C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewB.exe /TR "C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe" /F

C:\Users\Admin\AppData\Local\Temp\1000228001\ISetup8.exe

"C:\Users\Admin\AppData\Local\Temp\1000228001\ISetup8.exe"

C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe

"C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe"

C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exe

"C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000229001\toolspub1.exe

"C:\Users\Admin\AppData\Local\Temp\1000229001\toolspub1.exe"

C:\Users\Admin\AppData\Local\Temp\1000238001\file300un.exe

"C:\Users\Admin\AppData\Local\Temp\1000238001\file300un.exe"

C:\Users\Admin\AppData\Local\Temp\1000239001\mstc.exe

"C:\Users\Admin\AppData\Local\Temp\1000239001\mstc.exe"

C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe

"C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main

C:\Windows\system32\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main

C:\Windows\system32\netsh.exe

netsh wlan show profiles

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\687926120302_Desktop.zip' -CompressionLevel Optimal

C:\Users\Admin\AppData\Local\Temp\1000246001\lie.exe

"C:\Users\Admin\AppData\Local\Temp\1000246001\lie.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\1000239001\mstc.exe'

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll, Main

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "RegAsm.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'mstc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\explorer.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'explorer.exe'

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "explorer" /tr "C:\Users\Admin\AppData\Roaming\explorer.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\u4fg.0.exe

"C:\Users\Admin\AppData\Local\Temp\u4fg.0.exe"

C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe

"C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe"

C:\Users\Admin\AppData\Local\Temp\u4fg.2\run.exe

"C:\Users\Admin\AppData\Local\Temp\u4fg.2\run.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\SysWOW64\cmd.exe

C:\Users\Admin\AppData\Local\Temp\u4fg.3.exe

"C:\Users\Admin\AppData\Local\Temp\u4fg.3.exe"

C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe

C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe

C:\Users\Admin\AppData\Roaming\explorer.exe

C:\Users\Admin\AppData\Roaming\explorer.exe

C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe

C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe

C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe

"C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\System32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe

C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe

C:\Users\Admin\AppData\Roaming\explorer.exe

C:\Users\Admin\AppData\Roaming\explorer.exe

C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe

C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe

C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe

C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe

C:\Users\Admin\AppData\Roaming\explorer.exe

C:\Users\Admin\AppData\Roaming\explorer.exe

C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe

C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe

C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe

C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe

C:\Users\Admin\AppData\Roaming\explorer.exe

C:\Users\Admin\AppData\Roaming\explorer.exe

C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe

C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe

Network

Country Destination Domain Proto
RU 193.233.132.139:80 193.233.132.139 tcp
RU 193.233.132.167:80 193.233.132.167 tcp
US 8.8.8.8:53 139.132.233.193.in-addr.arpa udp
US 8.8.8.8:53 167.132.233.193.in-addr.arpa udp
US 8.8.8.8:53 f.f.f.f.9.d.a.0.2.d.e.b.0.9.0.8.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 www.youtube.com udp
GB 172.217.16.238:443 www.youtube.com tcp
GB 172.217.16.238:443 www.youtube.com tcp
US 8.8.8.8:53 accounts.google.com udp
NL 173.194.69.84:443 accounts.google.com udp
US 8.8.8.8:53 udp
GB 142.250.200.14:443 accounts.youtube.com tcp
US 8.8.8.8:53 www.google.com udp
GB 172.217.16.228:443 www.google.com udp
GB 172.217.16.228:443 www.google.com tcp
US 8.8.8.8:53 74.204.58.216.in-addr.arpa udp
US 8.8.8.8:53 14.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 228.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 clients2.google.com udp
N/A 224.0.0.251:5353 udp
GB 172.217.16.238:443 clients2.google.com udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.187.206:443 play.google.com tcp
GB 142.250.187.206:443 play.google.com udp
US 8.8.8.8:53 206.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
GB 216.58.204.74:443 tcp
RU 193.233.132.167:80 193.233.132.167 tcp
US 8.8.8.8:53 affordcharmcropwo.shop udp
US 172.67.181.34:443 affordcharmcropwo.shop tcp
US 8.8.8.8:53 34.181.67.172.in-addr.arpa udp
US 8.8.8.8:53 cleartotalfisherwo.shop udp
US 172.67.185.32:443 cleartotalfisherwo.shop tcp
US 8.8.8.8:53 worryfillvolcawoi.shop udp
US 104.21.44.125:443 worryfillvolcawoi.shop tcp
US 8.8.8.8:53 enthusiasimtitleow.shop udp
US 104.21.18.233:443 enthusiasimtitleow.shop tcp
US 172.67.205.132:443 dismissalcylinderhostw.shop tcp
US 8.8.8.8:53 diskretainvigorousiw.shop udp
US 172.67.211.165:443 diskretainvigorousiw.shop tcp
US 8.8.8.8:53 125.44.21.104.in-addr.arpa udp
US 8.8.8.8:53 233.18.21.104.in-addr.arpa udp
US 8.8.8.8:53 132.205.67.172.in-addr.arpa udp
US 8.8.8.8:53 165.211.67.172.in-addr.arpa udp
US 8.8.8.8:53 communicationgenerwo.shop udp
DE 185.172.128.19:80 tcp
US 172.67.147.41:443 tcp
US 8.8.8.8:53 shatterbreathepsw.shop udp
DE 185.172.128.19:80 185.172.128.19 tcp
US 172.67.169.43:443 shatterbreathepsw.shop tcp
DE 185.172.128.59:80 185.172.128.59 tcp
US 8.8.8.8:53 19.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 41.147.67.172.in-addr.arpa udp
US 8.8.8.8:53 shortsvelventysjo.shop udp
US 172.67.216.69:443 shortsvelventysjo.shop tcp
US 104.21.48.243:443 alcojoldwograpciw.shop tcp
US 8.8.8.8:53 43.169.67.172.in-addr.arpa udp
US 8.8.8.8:53 59.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 69.216.67.172.in-addr.arpa udp
US 8.8.8.8:53 63.218.67.172.in-addr.arpa udp
US 8.8.8.8:53 file-host-host0.com udp
RU 185.215.113.67:26260 tcp
US 8.8.8.8:53 liabilitynighstjsko.shop udp
US 104.21.44.3:443 liabilitynighstjsko.shop tcp
RU 194.87.210.219:80 file-host-host0.com tcp
US 8.8.8.8:53 243.48.21.104.in-addr.arpa udp
US 8.8.8.8:53 67.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 3.44.21.104.in-addr.arpa udp
US 8.8.8.8:53 demonstationfukewko.shop udp
US 104.21.33.174:443 demonstationfukewko.shop tcp
FR 52.143.157.84:80 tcp
RU 193.233.132.234:80 193.233.132.234 tcp
US 172.67.150.207:443 tcp
US 172.67.218.63:443 tcp
US 8.8.8.8:53 parrotflight.com udp
US 8.8.8.8:53 219.210.87.194.in-addr.arpa udp
US 8.8.8.8:53 174.33.21.104.in-addr.arpa udp
US 8.8.8.8:53 234.132.233.193.in-addr.arpa udp
US 172.67.187.204:443 parrotflight.com tcp
US 8.8.8.8:53 junglethomas.com udp
US 104.21.92.190:443 junglethomas.com tcp
US 8.8.8.8:53 204.187.67.172.in-addr.arpa udp
US 8.8.8.8:53 133.190.18.2.in-addr.arpa udp
DE 185.172.128.33:8970 tcp
RU 193.233.132.167:80 tcp
RU 5.42.65.67:48396 tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
RU 193.233.132.167:80 193.233.132.167 tcp
US 8.8.8.8:53 palmeventeryjusk.shop udp
US 104.21.7.13:443 palmeventeryjusk.shop tcp
US 8.8.8.8:53 entitlementappwo.shop udp
US 172.67.177.73:443 entitlementappwo.shop tcp
US 8.8.8.8:53 economicscreateojsu.shop udp
US 104.21.47.60:443 economicscreateojsu.shop tcp
US 8.8.8.8:53 13.7.21.104.in-addr.arpa udp
US 8.8.8.8:53 73.177.67.172.in-addr.arpa udp
US 8.8.8.8:53 60.47.21.104.in-addr.arpa udp
US 8.8.8.8:53 pushjellysingeywus.shop udp
US 172.67.217.241:443 pushjellysingeywus.shop tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 absentconvicsjawun.shop udp
US 104.21.26.86:443 absentconvicsjawun.shop tcp
US 8.8.8.8:53 suitcaseacanehalk.shop udp
US 104.21.86.26:443 suitcaseacanehalk.shop tcp
US 8.8.8.8:53 241.217.67.172.in-addr.arpa udp
US 8.8.8.8:53 86.26.21.104.in-addr.arpa udp
US 8.8.8.8:53 bordersoarmanusjuw.shop udp
US 172.67.189.66:443 bordersoarmanusjuw.shop tcp
US 8.8.8.8:53 mealplayerpreceodsju.shop udp
US 104.21.22.58:443 mealplayerpreceodsju.shop tcp
US 8.8.8.8:53 wifeplasterbakewis.shop udp
US 172.67.196.237:443 wifeplasterbakewis.shop tcp
US 8.8.8.8:53 26.86.21.104.in-addr.arpa udp
US 8.8.8.8:53 66.189.67.172.in-addr.arpa udp
US 8.8.8.8:53 58.22.21.104.in-addr.arpa udp
US 8.8.8.8:53 237.196.67.172.in-addr.arpa udp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
N/A 172.67.166.251:443 tcp
US 8.8.8.8:53 udp
N/A 104.21.47.56:443 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
NL 173.194.69.84:443 udp
US 8.8.8.8:53 udp
FR 52.143.157.84:80 tcp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 saveclinetsforme68465454711991.publicvm.com udp
NL 91.92.254.108:7000 saveclinetsforme68465454711991.publicvm.com tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 108.254.92.91.in-addr.arpa udp
NL 91.92.254.108:1111 saveclinetsforme68465454711991.publicvm.com tcp
US 8.8.8.8:53 api.ip.sb udp
US 104.26.12.31:443 api.ip.sb tcp
US 8.8.8.8:53 31.12.26.104.in-addr.arpa udp
FR 52.143.157.84:80 tcp
DE 185.172.128.90:80 185.172.128.90 tcp
US 8.8.8.8:53 90.128.172.185.in-addr.arpa udp
DE 185.172.128.228:80 185.172.128.228 tcp
DE 185.172.128.59:80 185.172.128.59 tcp
US 8.8.8.8:53 note.padd.cn.com udp
RO 176.97.76.106:80 note.padd.cn.com tcp
US 8.8.8.8:53 228.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 106.76.97.176.in-addr.arpa udp
DE 185.172.128.228:80 185.172.128.228 tcp
US 20.157.87.45:80 tcp
US 8.8.8.8:53 45.87.157.20.in-addr.arpa udp
US 8.8.8.8:53 download.iolo.net udp
FR 185.93.2.245:443 download.iolo.net tcp
US 20.157.87.45:80 svc.iolo.com tcp
US 8.8.8.8:53 134.190.18.2.in-addr.arpa udp
FR 52.143.157.84:80 tcp
US 8.8.8.8:53 westus2-2.in.applicationinsights.azure.com udp
US 20.9.155.145:443 westus2-2.in.applicationinsights.azure.com tcp
RU 193.233.132.167:80 tcp
US 8.8.8.8:53 145.155.9.20.in-addr.arpa udp
US 8.8.8.8:53 d1b52836-2bef-41c8-ac60-19801d01bebf.uuid.dumperstats.org udp
US 8.8.8.8:53 209.143.182.52.in-addr.arpa udp
RU 91.215.85.66:15647 tcp
US 8.8.8.8:53 66.85.215.91.in-addr.arpa udp
RU 91.215.85.66:9000 91.215.85.66 tcp
FR 52.143.157.84:80 tcp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 server10.dumperstats.org udp
US 8.8.8.8:53 stun4.l.google.com udp
US 162.159.133.233:443 cdn.discordapp.com tcp
CH 172.217.210.127:19302 stun4.l.google.com udp
BG 185.82.216.111:443 server10.dumperstats.org tcp
US 8.8.8.8:53 carsalessystem.com udp
US 104.21.94.82:443 carsalessystem.com tcp
US 8.8.8.8:53 127.210.217.172.in-addr.arpa udp
US 8.8.8.8:53 233.133.159.162.in-addr.arpa udp
US 8.8.8.8:53 111.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 82.94.21.104.in-addr.arpa udp
BG 185.82.216.111:443 server10.dumperstats.org tcp
US 104.21.95.172:443 tcp
DE 185.172.128.150:80 185.172.128.150 tcp
US 8.8.8.8:53 150.128.172.185.in-addr.arpa udp
BG 185.82.216.111:443 server10.dumperstats.org tcp
US 8.8.8.8:53 udp
RU 193.233.132.139:80 193.233.132.139 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
BG 185.82.216.111:443 server10.dumperstats.org tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
DE 185.172.128.19:80 185.172.128.19 tcp
RU 193.233.132.167:80 193.233.132.167 tcp
N/A 127.0.0.1:31465 tcp

Files

memory/3336-0-0x0000000001190000-0x000000000165D000-memory.dmp

memory/3336-1-0x0000000077A34000-0x0000000077A35000-memory.dmp

memory/3336-5-0x0000000001180000-0x0000000001181000-memory.dmp

memory/3336-9-0x0000000004DC0000-0x0000000004DC1000-memory.dmp

memory/3336-8-0x0000000004DB0000-0x0000000004DB1000-memory.dmp

memory/3336-7-0x00000000016E0000-0x00000000016E1000-memory.dmp

memory/3336-6-0x00000000016F0000-0x00000000016F1000-memory.dmp

memory/3336-4-0x0000000004DD0000-0x0000000004DD1000-memory.dmp

memory/3336-3-0x0000000004D90000-0x0000000004D91000-memory.dmp

memory/3336-2-0x0000000004DA0000-0x0000000004DA1000-memory.dmp

memory/3336-12-0x0000000004DE0000-0x0000000004DE1000-memory.dmp

memory/3336-11-0x0000000004DF0000-0x0000000004DF1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe

MD5 31e45caea6d338f180c2ef2dbf17aa6e
SHA1 e141b38e3bb7a3fe62a41c16ffb319d082fda78e
SHA256 0221d2c97ba972cec231a6d5ed1a9cae509d1a10ef5d148b43cb778e4267af01
SHA512 446793aa76caf5a0bfadf952c369b60a765f44cc1c3813828e2c6a8859646740a293ad2e993a7dbb4ccebcf65123b284535666110a596e83efb1f15fc734a5f2

memory/3336-21-0x0000000001190000-0x000000000165D000-memory.dmp

memory/2720-22-0x00000000000C0000-0x000000000058D000-memory.dmp

memory/2720-29-0x0000000004A80000-0x0000000004A81000-memory.dmp

memory/2720-28-0x0000000004A70000-0x0000000004A71000-memory.dmp

memory/2720-27-0x0000000004A40000-0x0000000004A41000-memory.dmp

memory/2720-26-0x0000000004A30000-0x0000000004A31000-memory.dmp

memory/2720-25-0x0000000004A90000-0x0000000004A91000-memory.dmp

memory/2720-24-0x0000000004A50000-0x0000000004A51000-memory.dmp

memory/2720-23-0x0000000004A60000-0x0000000004A61000-memory.dmp

memory/2720-30-0x0000000004AB0000-0x0000000004AB1000-memory.dmp

memory/2720-31-0x0000000004AA0000-0x0000000004AA1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000015001\amert.exe

MD5 d4a3b4ce9ec10985a5f9678c99df06fd
SHA1 d3ed7513b9ce4c4cda57ea2862e655dd8dddc564
SHA256 84a1116b26b457a2fa6acb2431df33dc17438112dab1f9270afb943d67e07908
SHA512 eccb051a6a868753854f3c51ec0be6bff276980e36129c8b436d6d88335c1314803fe9ea5db3570e0e4c68b32d2bca7473218b6992c1f628e06061487df9aff1

memory/3952-46-0x0000000000BC0000-0x000000000106E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000016001\240d7ab3b8.exe

MD5 ade4aaf6ba7823e268f863b15563d939
SHA1 b264924172ecbc9527005df786723332b1c8bcaf
SHA256 30660bf5e4664edd7a287a9e9c09ba20ea95649f5c5410973261423602c6b236
SHA512 f62cc0563d8a98a8ef425a499e7de07bff9adda3571a2d7beba501acbdfe0656bc3340b1b7b6e4253dda9d02e651cb09c977bc72041e85817917e3b4a17eea6a

memory/3952-64-0x0000000000BC0000-0x000000000106E000-memory.dmp

\??\pipe\crashpad_2192_LOJZFULCPGRPTBAO

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\1000017002\ae0782aebe.exe

MD5 37d6a74585c9ec4c8e5e8588964aef04
SHA1 186d4a49d826c81d255006ccaae64286c132e2e0
SHA256 e1de94d9d08127a21ac7311abc027991f5c1418e14098e6cfbb36c9462dbf8e8
SHA512 70031635d630a92ccf1a32fdc94eb324a1180ef4e39bf6f95d50f7545cfd94db90391e6b7eec9dcbd60017897d192a0605a3349c5a7e77a90d7c9e280d2f35e0

memory/1328-108-0x0000000000830000-0x0000000000E08000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

MD5 99914b932bd37a50b983c5e7c90ae93b
SHA1 bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA256 44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA512 27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

memory/2720-125-0x00000000000C0000-0x000000000058D000-memory.dmp

memory/2720-126-0x00000000000C0000-0x000000000058D000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 6d6f0552fa45d4dc6626a283579dfd0a
SHA1 7f43a76d7ff6ff3cde352317b20fef7f46b94e5d
SHA256 bddcb027fef2057ac7418bb7d9541ce6bb92000b0055d848d5c8d9468ad13329
SHA512 25e3995a42bd6a6fba3b9e096ed250e579764f79cdb08771e91c5948394baae95819d25accd72d81f6b1365050c14e3281167bde1c4535fcdfb2fcc203df37a2

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 e5224da4e5eabdecab1e364a1f4f50a3
SHA1 16c40fdbf8935a278344e20c6d0f643a6680ecf8
SHA256 9f661080b44c0022025d5615635219a33fc613b3597fdb0937d21b296a0d7bac
SHA512 e317c87f4578b523bc6bc6354362592c91772b01b95d7eee0b416f5cc8ffad9fddb14e8f22519fef020e88fe31ae51602aaa07c7eeee4c8e607eb59716d226e6

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 0ce1221e93fdf1cc1fb5de90c319ea40
SHA1 737085f29ee84232634e9b3271a42d8edc93861e
SHA256 4a9c94b4dcd7bbb11aac9d6c259293d5f2a9535ea21ce6bb0200384bdad917c6
SHA512 3b7c4829a0baf1dbc5ef093d21ec5fedeaae275c74c7fadeae4beec8e8801cdf14cdf2eef90f8cd47e2c3754dc4afd845dd145cc0b8a399dc85bad1cce171663

memory/2720-146-0x00000000000C0000-0x000000000058D000-memory.dmp

memory/1328-147-0x0000000000830000-0x0000000000E08000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

MD5 2f4ce1c5a16f7b521c21977b45a165d3
SHA1 d5e9ba83d5abd8c002677bd9e90b64cbd0fc5910
SHA256 d11fdb716625484165c662cabebb5926ba86b02b5a2928a10862cee06133ab3b
SHA512 32415a57ac413c604b806550c912c9ecdc644add52e1b0b3b0f7fed1fcd0f58f0d04434bb4544582baf5b4e56382030f0b4d9a17722c5acf69a1727f10613fe3

memory/1328-155-0x0000000000830000-0x0000000000E08000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 844cdb65d0d23bb010ebb79ab98a2399
SHA1 ccf5c0a4142c462c174f480dac81d631abc752ce
SHA256 1eb6e569a50244183578911aec32f7ce94c8e1d5ebaac48a0e99a0e66089b63f
SHA512 6ee04adf5f3c59a359d3a02bc0ab1295f61292b8e4b4760c3528e1384ad7745c095fa04f06e6f798110d67d126ce26e44227ee64d3aca2f9ae1cbf1ef394af9c

memory/1328-161-0x0000000000830000-0x0000000000E08000-memory.dmp

memory/2720-162-0x00000000000C0000-0x000000000058D000-memory.dmp

memory/1328-163-0x0000000000830000-0x0000000000E08000-memory.dmp

memory/2720-164-0x00000000000C0000-0x000000000058D000-memory.dmp

memory/5056-168-0x00000000000C0000-0x000000000058D000-memory.dmp

memory/2280-169-0x0000000000960000-0x0000000000E0E000-memory.dmp

memory/5056-171-0x00000000000C0000-0x000000000058D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe

MD5 1c7d0f34bb1d85b5d2c01367cc8f62ef
SHA1 33aedadb5361f1646cffd68791d72ba5f1424114
SHA256 e9e09c5e5d03d21fca820bd9b0a0ea7b86ab9e85cdc9996f8f1dc822b0cc801c
SHA512 53bf85d2b004f69bbbf7b6dc78e5f021aba71b6f814101c55d3bf76e6d058a973bc58270b6b621b2100c6e02d382f568d1e96024464e8ea81e6db8ccd948679d

memory/1320-185-0x0000000000F00000-0x0000000000F52000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 259afe417d7494609c1fdfb52b4abcac
SHA1 c36a732fef816ac909700d2c332f2afc3d903236
SHA256 edaddd80cdb8d0e411ce8ac8dece32ecb8c4665d8f76b804d60ef6b12048a70d
SHA512 0fe5036a5ce65697075d85af5c4d750419885bf2ec3d03cd10e19f1811afd2d190824075c9ce49b1ee012c7a5fe3011a4b5cb9d8669bbc26e5aaa7631066e29b

memory/4068-199-0x0000000000400000-0x000000000044C000-memory.dmp

memory/4068-197-0x0000000000400000-0x000000000044C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe

MD5 31841361be1f3dc6c2ce7756b490bf0f
SHA1 ff2506641a401ac999f5870769f50b7326f7e4eb
SHA256 222393a4ab4b2ae83ca861faee6df02ac274b2f2ca0bed8db1783dd61f2f37ee
SHA512 53d66fa19e8db360042dadc55caaa9a1ca30a9d825e23ed2a58f32834691eb2aaaa27a4471e3fc4d13e201accc43160436ed0e9939df1cc227a62a09a2ae0019

memory/5116-213-0x0000000000400000-0x0000000000592000-memory.dmp

memory/3640-223-0x0000000000AB0000-0x0000000000B02000-memory.dmp

C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe

MD5 0c582da789c91878ab2f1b12d7461496
SHA1 238bd2408f484dd13113889792d6e46d6b41c5ba
SHA256 a6ab532816fbb0c9664c708746db35287aaa85cbb417bef2eafcd9f5eaf7cf67
SHA512 a1b7c5c13462a7704ea2aea5025d1cb16ddd622fe1e2de3bbe08337c271a4dc8b9be2eae58a4896a7df3ad44823675384dbc60bdc737c54b173909be7a0a086a

memory/3640-224-0x0000000005830000-0x0000000005D2E000-memory.dmp

C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe

MD5 20ae0bb07ba77cb3748aa63b6eb51afb
SHA1 87c468dc8f3d90a63833d36e4c900fa88d505c6d
SHA256 daf6ae706fc78595f0d386817a0f8a3a7eb4ec8613219382b1cbaa7089418e7d
SHA512 db315e00ce2b2d5a05cb69541ee45aade4332e424c4955a79d2b7261ab7bd739f02dc688224f031a7a030c92fa915d029538e236dbd3c28b8d07d1265a52e5b2

memory/3640-225-0x00000000053D0000-0x0000000005462000-memory.dmp

memory/3640-228-0x0000000005370000-0x000000000537A000-memory.dmp

memory/3516-227-0x0000000000AD0000-0x0000000000B90000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Tmp2B60.tmp

MD5 1420d30f964eac2c85b2ccfe968eebce
SHA1 bdf9a6876578a3e38079c4f8cf5d6c79687ad750
SHA256 f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9
SHA512 6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

memory/3640-245-0x0000000005EF0000-0x0000000005F66000-memory.dmp

memory/1328-246-0x0000000000830000-0x0000000000E08000-memory.dmp

memory/3640-247-0x0000000006670000-0x000000000668E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe

MD5 b22521fb370921bb5d69bf8deecce59e
SHA1 3d4486b206e8aaac14a3cf201c5ac152a2a7d4ea
SHA256 b30d10e292f89f4d288839974f71f6b703d6d9a9ae698ea172a2b64364e77158
SHA512 1f7d64ba5266314ed18f577f0984706c21f4f48e8cdb069130e4435c2bcdf219f8dd27e4d3bf3a373f4db4c01e30efe8d7f4d87f4d8cbbbeaf9c7043f685994c

memory/3640-258-0x0000000006EE0000-0x00000000074E6000-memory.dmp

memory/5340-268-0x0000000000400000-0x000000000044E000-memory.dmp

memory/5340-267-0x0000000000400000-0x000000000044E000-memory.dmp

memory/3640-266-0x0000000006B60000-0x0000000006BAB000-memory.dmp

memory/3640-265-0x00000000069E0000-0x0000000006A1E000-memory.dmp

memory/3640-261-0x0000000006980000-0x0000000006992000-memory.dmp

memory/3640-259-0x0000000006A50000-0x0000000006B5A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe

MD5 0099a99f5ffb3c3ae78af0084136fab3
SHA1 0205a065728a9ec1133e8a372b1e3864df776e8c
SHA256 919ae827ff59fcbe3dbaea9e62855a4d27690818189f696cfb5916a88c823226
SHA512 5ac4f3265c7dd7d172284fb28c94f8fc6428c27853e70989f4ec4208f9897be91720e8eee1906d8e843ab05798f3279a12492a32e8a118f5621ac5e1be2031b6

C:\Users\Admin\AppData\Local\Temp\1000228001\ISetup8.exe

MD5 6b19cf5e2ad1c589a9591ef99c071c1d
SHA1 c628156dfc41fdde30f692bbcc6f7e4fdf0dd2ea
SHA256 b6b7cff03c27eb56d701cd474bc5c12807dbeb58fca0941bcf9ec2c269a07cf7
SHA512 0a4005b2869769e5faa4c874185e48f84fae302ffad28b14a69e9be4c8f01600202b91cca5adc42c25ce819a7b0c17a2d1f07c0468c2e83a8eaec66c5ff2e0bc

C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe

MD5 8510bcf5bc264c70180abe78298e4d5b
SHA1 2c3a2a85d129b0d750ed146d1d4e4d6274623e28
SHA256 096220045877e456edfea1adcd5bf1efd332665ef073c6d1e9474c84ca5433f6
SHA512 5ff0a47f9e14e22fc76d41910b2986605376605913173d8ad83d29d85eb79b679459e2723a6ad17bc3c3b8c9b359e2be7348ee1c21fa2e8ceb7cc9220515258d

memory/5776-308-0x0000000000810000-0x0000000000862000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1687926120-3022217735-1146543763-1000\76b53b3ec448f7ccdda2063b15d2bfc3_ae202211-6e17-4cac-b8d2-d431e54ee209

MD5 3ab020deb1b7c4a5ce99a394fd28f502
SHA1 0e7822d58d8a2d644b0e491235f09cf8721ec8fb
SHA256 0783de3e6424ce8f67876df10716ff2a871c34ce93751d9b44347c01b8b7f36f
SHA512 73a76dfe2c182a5194a71351bea6f2589cf30fae5d9ec330a9ce5a471b64b2cfc73101b82d5280c9b4c2174df990b3d9aa3725e9242c472c93129eda32e502fe

memory/2720-327-0x00000000000C0000-0x000000000058D000-memory.dmp

C:\Users\Public\Desktop\Google Chrome.lnk

MD5 bd4b5c24fcfbe3fd6ed8baade59ec5dd
SHA1 647526090b3adc7e0b55dc3a954fb17e2c6d739c
SHA256 7328deb867e71f1e413d9ad10c2815644cbcc7616a018db673b36029277e9458
SHA512 7e2aa757dd90b3f53170009c288e87c83f76550311f2c22e38eefce85d8932e615b26773001bc36c90ec6ca94f18e8cd2c11874698666aa68fa5771e3f091f65

C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exe

MD5 586f7fecacd49adab650fae36e2db994
SHA1 35d9fb512a8161ce867812633f0a43b042f9a5e6
SHA256 cf88d499c83da613ad5ccd8805822901bdc3a12eb9b15804aeff8c53dc05fc4e
SHA512 a44a2c99d18509681505cf70a251baf2558030a8648d9c621acc72fafcb2f744e3ef664dfd0229baf7c78fb72e69f5d644c755ded4060dcafa7f711d70e94772

memory/6072-346-0x0000000000400000-0x000000000063B000-memory.dmp

memory/6072-349-0x0000000000400000-0x000000000063B000-memory.dmp

memory/5992-343-0x00000000002E0000-0x000000000030E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000229001\toolspub1.exe

MD5 df469e0a98c5be3dbbdee404268d491a
SHA1 17951c7c3b3dbb7769efa595298ac0183e000c77
SHA256 a48d767621acecbb12a31fbd4007a16e77e6a0155d255c056f2400d0b17cfeba
SHA512 8c90c9e5b57a854b38600946659d39519a222d5cc36008ef9617df74719e662d66445ca223cff7feffabbb50ecad6028d06d436c5d8fdb349b6bf9ddd1128dfc

C:\Users\Admin\AppData\Local\Temp\1000238001\file300un.exe

MD5 0c4043a9a9efff20810530fd0cad91d7
SHA1 ca3adc7e4f1a027a2969749ccd5e2c1b06b88162
SHA256 1153b99ea7a217692d63ef2c95b61f9b781862793ed5cdff3f53f0b43d9c8ccc
SHA512 e5cb239c051ad141a56ca464be8068cebdc58029e39bc2d31495b27a5267604748f590397c2269d01b42f07af5a8840c8d3b339f4f042db165bd9c023a332d17

memory/2280-381-0x0000000000960000-0x0000000000E0E000-memory.dmp

memory/2188-386-0x000001DE4FE50000-0x000001DE4FE5A000-memory.dmp

memory/3640-387-0x0000000006C90000-0x0000000006CF6000-memory.dmp

memory/3640-390-0x00000000075F0000-0x0000000007640000-memory.dmp

memory/3516-391-0x000000001DD00000-0x000000001DE0A000-memory.dmp

memory/3516-393-0x000000001C720000-0x000000001C75E000-memory.dmp

memory/3516-392-0x000000001BCC0000-0x000000001BCD2000-memory.dmp

memory/3640-395-0x0000000007B10000-0x0000000007CD2000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 5a3dc7062c37f1ed13f49c2680c54944
SHA1 7b7579227def2ff7a100afafde8c396cb01f192f
SHA256 5471d0c5a240c2aff6b369dc1c3b6e9eee3cfdece27a50b7379cf16b572e2686
SHA512 25b0afa3af79d7fbff6b499b246aac32ac8dcbbf8c77f1bd00ca78c0fa1d13cb84b7877f71e01d0e52ba68fa36adae3f263c18351ee82166356a15b621230d08

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 734b09db1398c6cff372c88102838c03
SHA1 41a3d38878f7e554030766a88ab833765254adbf
SHA256 5d186c35028ba27755533bfdee6b1451eaa98bcf2b753f74749fda236670146a
SHA512 d19055f786cbe0f8c48a9f3e2439f73720852172d32194bee1281999dea658be33106206cbcbd7582c25f616c1aa56dda8a2e9121e77284b6d7e52b502b5f921

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies

MD5 0f8023f955d412d721a55bbde3671013
SHA1 7bed01c8d87f14279455e3559895a637c80433e6
SHA256 78436320e286e78101c15a7d141a02b2071b655e4ae8133ea28c34304eb826e5
SHA512 6a44641863221caac691fd64a34045c1d13182972d29726b5dec001fd90f41206d2bd967d24e1249edd47d79e4a81e65da5c714ec4dfb57908d75e5a24a4ad38

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 4d062b1bfa9cf53065bbf184b273db49
SHA1 58a4873f7be9305b95a48e59c94ce20bbd1dd712
SHA256 aa4c13e1e9c59e8378e542c1e7d73cedb4dc0b33300a38afad29ebc058a587b8
SHA512 703f0c231180817fb4c8ee11687fb7807e9d818935ce4f96d6205da56499f51f234290763a1456007e2fbc8fe5d216492213d130afb4b36de27937c264f1448c

memory/3640-396-0x0000000008210000-0x000000000873C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000239001\mstc.exe

MD5 17eefbaaa30123fa3091add80026aed4
SHA1 8e43d736ea03bd33de5434bda5e20aae121cd218
SHA256 b780f8659c3cfab33ffa95b25b396b2b8ade8bd40c72aaf7c87ad3c6b6cf34c5
SHA512 e82fbbbfef61773fae1ed3e0767efa225ede0327ca5654de25e86359f4366942f85cf5542e67a52b24bb129d7fccf09fc68c64a73cf9269a75040d888005fa09

memory/3516-411-0x000000001DE90000-0x000000001DF06000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe

MD5 5a63cd28959846d04044462f5fded111
SHA1 0cbdc7023c309edcf9de95007fefeeec96dfc8f0
SHA256 30fb161032beb7e55d3e68e21245460637d962d9c32db4b12f43a1a2da767fbb
SHA512 0c654325ff0a4a7cd638a692c230a6e862ba9641ac097a4f6ddf46b7f04c961b742792b9218daa1e2c8012290a061a3fe8f9c5e455a55f8432ed368c9c45b01f

memory/3516-424-0x000000001BCE0000-0x000000001BCFE000-memory.dmp

memory/5788-426-0x00000000005A0000-0x00000000005B2000-memory.dmp

C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll

MD5 f35b671fda2603ec30ace10946f11a90
SHA1 059ad6b06559d4db581b1879e709f32f80850872
SHA256 83e3df5bec15d5333935bea8b719a6d677e2fb3dc1cf9e18e7b82fd0438285c7
SHA512 b5fa27d08c64727cef7fdda5e68054a4359cd697df50d70d1d90da583195959a139066a6214531bbc5f20cd4f9bc1ca3e4244396547381291a6a1d2df9cf8705

memory/3516-445-0x000000001F540000-0x000000001FA66000-memory.dmp

memory/3516-444-0x000000001E710000-0x000000001E8D2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp4CE5.tmp

MD5 02d2c46697e3714e49f46b680b9a6b83
SHA1 84f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256 522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA512 60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

memory/4844-461-0x00000260C1B10000-0x00000260C1B32000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000246001\lie.exe

MD5 24dd75b0a7bb9a0e0918ee0dd84a581a
SHA1 de796b237488df3d26a99aa8a78098c010aeb2c9
SHA256 878966291372a9633242af15570a8bbe31699b5e0b650e806af4742da1f6b35d
SHA512 53f951d795fbf760dd593619bb3f96fd604bc15adb4f637457d28fbd78ae3764afd4e9c9a755a6241431ad4664dd30e4a2df84e33fe59954f7c55da0e4038557

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4h3xbvea.na5.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/2188-488-0x000001DE51A40000-0x000001DE51A4A000-memory.dmp

memory/2188-489-0x000001DE50230000-0x000001DE5028E000-memory.dmp

memory/5840-490-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Public\Desktop\Google Chrome.lnk

MD5 56506f47b654dd193c7dcedbbb1459ee
SHA1 cd5c001a2804f464f1cd73917dbb91355ed68976
SHA256 394cd6851cb59170fbdd220d22c1e488188a5b3ef14afe3be64fbedea6fcd69b
SHA512 bed443629868c080450439a188ea9b735414cd157a02164ab08204c067bdc258177031dbe4ce8b1a5a1a5d150c8fc0299dfe53922c1ec4c11c6d527032bf539f

memory/1328-520-0x0000000000830000-0x0000000000E08000-memory.dmp

memory/2720-539-0x00000000000C0000-0x000000000058D000-memory.dmp

memory/2280-540-0x0000000000960000-0x0000000000E0E000-memory.dmp

C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll

MD5 154c3f1334dd435f562672f2664fea6b
SHA1 51dd25e2ba98b8546de163b8f26e2972a90c2c79
SHA256 5f431129f97f3d56929f1e5584819e091bd6c854d7e18503074737fc6d79e33f
SHA512 1bca69bbcdb7ecd418769e9d4befc458f9f8e3cee81feb7316bb61e189e2904f4431e4cc7d291e179a5dec441b959d428d8e433f579036f763bbad6460222841

memory/5728-572-0x0000000000750000-0x00000000007A1000-memory.dmp

memory/4844-591-0x00000260C1F40000-0x00000260C1F52000-memory.dmp

memory/4844-604-0x00000260C1CA0000-0x00000260C1CAA000-memory.dmp

memory/2720-744-0x00000000000C0000-0x000000000058D000-memory.dmp

memory/1328-745-0x0000000000830000-0x0000000000E08000-memory.dmp

memory/5728-746-0x0000000000400000-0x00000000005C4000-memory.dmp

memory/5728-752-0x0000000000750000-0x00000000007A1000-memory.dmp

memory/2280-755-0x0000000000960000-0x0000000000E0E000-memory.dmp

memory/1328-756-0x0000000000830000-0x0000000000E08000-memory.dmp

memory/5788-757-0x000000001C120000-0x000000001C13E000-memory.dmp

memory/2720-758-0x00000000000C0000-0x000000000058D000-memory.dmp

memory/5788-759-0x000000001D040000-0x000000001D0E2000-memory.dmp

memory/5788-760-0x000000001C490000-0x000000001C4B0000-memory.dmp

memory/5788-761-0x000000001F840000-0x000000001FB90000-memory.dmp

memory/2280-762-0x0000000000960000-0x0000000000E0E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpC391.tmp

MD5 3daad470df391b2f80f1355a73f49b47
SHA1 fd3d71f1d5bcca2c56518cdb061fc1e0a2465dec
SHA256 a0732dc29331aee2809c08b9dd1bbddcfd6badc2b90a932b1e5c220d573e7b08
SHA512 a03c5c17710c1ecafebca8b3066db41e1d682a619162da61d12f7f84c8ead35b49b6f390a473e23c41baff6072ffc6000a52345d5a1f73371b8711f470216b6a

C:\Users\Admin\AppData\Local\Temp\tmpC3EB.tmp

MD5 d367ddfda80fdcf578726bc3b0bc3e3c
SHA1 23fcd5e4e0e5e296bee7e5224a8404ecd92cf671
SHA256 0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0
SHA512 40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

memory/1328-833-0x0000000000830000-0x0000000000E08000-memory.dmp

memory/2720-849-0x00000000000C0000-0x000000000058D000-memory.dmp

memory/5788-850-0x000000001BDF0000-0x000000001BE04000-memory.dmp

memory/2280-851-0x0000000000960000-0x0000000000E0E000-memory.dmp

memory/5196-852-0x0000000000400000-0x0000000002AE9000-memory.dmp

memory/1328-853-0x0000000000830000-0x0000000000E08000-memory.dmp

memory/644-857-0x0000000004FF0000-0x0000000005026000-memory.dmp

memory/5976-854-0x0000000000400000-0x0000000002ED3000-memory.dmp

memory/644-858-0x0000000007900000-0x0000000007F28000-memory.dmp

memory/644-860-0x00000000075C0000-0x0000000007626000-memory.dmp

memory/644-859-0x0000000007760000-0x0000000007782000-memory.dmp

memory/644-861-0x00000000080A0000-0x00000000083F0000-memory.dmp

memory/644-862-0x00000000084B0000-0x00000000084CC000-memory.dmp

memory/644-863-0x00000000084E0000-0x000000000852B000-memory.dmp

memory/644-887-0x000000006E350000-0x000000006E6A0000-memory.dmp

memory/644-889-0x00000000098E0000-0x00000000098FE000-memory.dmp

memory/644-894-0x0000000009A40000-0x0000000009AE5000-memory.dmp

memory/644-885-0x000000006E300000-0x000000006E34B000-memory.dmp

memory/644-883-0x0000000009900000-0x0000000009933000-memory.dmp

memory/644-895-0x0000000009C10000-0x0000000009CA4000-memory.dmp

memory/644-1088-0x0000000009BB0000-0x0000000009BCA000-memory.dmp

memory/644-1093-0x0000000009BA0000-0x0000000009BA8000-memory.dmp

memory/5976-1111-0x0000000000400000-0x0000000002ED3000-memory.dmp

memory/2720-1113-0x00000000000C0000-0x000000000058D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\u4fg.1.zip

MD5 78d3ca6355c93c72b494bb6a498bf639
SHA1 2fa4e5df74bfe75c207c881a1b0d3bc1c62c8b0e
SHA256 a1dd547a63b256aa6a16871ed03f8b025226f7617e67b8817a08444df077b001
SHA512 1b2df7bee2514aee7efd3579f5dd33c76b40606d07dba69a34c45747662fad61174db4931bca02b058830107959205e889fee74f8ccc9f6e03f9fd111761f4ea

C:\Users\Admin\AppData\Local\Temp\u4fg.2\run.exe

MD5 9fb4770ced09aae3b437c1c6eb6d7334
SHA1 fe54b31b0db8665aa5b22bed147e8295afc88a03
SHA256 a05b592a971fe5011554013bcfe9a4aaf9cfc633bdd1fe3a8197f213d557b8d3
SHA512 140fee6daf23fe8b7e441b3b4de83554af804f00ecedc421907a385ac79a63164bd9f28b4be061c2ea2262755d85e14d3a8e7dc910547837b664d78d93667256

memory/920-1187-0x000000006EBD0000-0x000000006ED4B000-memory.dmp

memory/920-1188-0x00007FF9FC450000-0x00007FF9FC62B000-memory.dmp

memory/5740-1193-0x0000000000400000-0x0000000002B15000-memory.dmp

memory/5740-1197-0x0000000000400000-0x0000000002B15000-memory.dmp

memory/4796-1203-0x00000000000C0000-0x000000000058D000-memory.dmp

memory/2280-1202-0x0000000000960000-0x0000000000E0E000-memory.dmp

memory/4796-1208-0x00000000000C0000-0x000000000058D000-memory.dmp

memory/920-1224-0x000000006EBD0000-0x000000006ED4B000-memory.dmp

memory/2720-1227-0x00000000000C0000-0x000000000058D000-memory.dmp

memory/1328-1228-0x0000000000830000-0x0000000000E08000-memory.dmp

memory/5356-1229-0x0000000000400000-0x0000000001A17000-memory.dmp

memory/5516-1230-0x00007FF9FC450000-0x00007FF9FC62B000-memory.dmp

memory/4000-1243-0x0000000000400000-0x00000000008AD000-memory.dmp

memory/5104-1244-0x000001FFF3E40000-0x000001FFF7738000-memory.dmp

memory/5104-1248-0x000001FFF93E0000-0x000001FFF93F4000-memory.dmp

memory/5104-1247-0x000001FFF93F0000-0x000001FFF93FC000-memory.dmp

memory/5104-1251-0x000001FFF9E80000-0x000001FFF9EA4000-memory.dmp

memory/5104-1246-0x000001FFF7AF0000-0x000001FFF7B00000-memory.dmp

memory/5104-1245-0x000001FFF9EC0000-0x000001FFF9FD0000-memory.dmp

memory/4336-1252-0x0000000007910000-0x0000000007C60000-memory.dmp

memory/4336-1253-0x0000000007D90000-0x0000000007DDB000-memory.dmp

memory/4336-1272-0x000000006EB80000-0x000000006EBCB000-memory.dmp

memory/4336-1278-0x00000000092F0000-0x0000000009395000-memory.dmp

memory/4336-1273-0x000000006DF20000-0x000000006E270000-memory.dmp

memory/2280-1483-0x0000000000960000-0x0000000000E0E000-memory.dmp

memory/1328-1846-0x0000000000830000-0x0000000000E08000-memory.dmp

memory/6100-1994-0x0000000000400000-0x0000000002ED3000-memory.dmp

memory/2720-1997-0x00000000000C0000-0x000000000058D000-memory.dmp

memory/5104-2000-0x000001FFFA800000-0x000001FFFA989000-memory.dmp

memory/2280-1999-0x0000000000960000-0x0000000000E0E000-memory.dmp

memory/5516-1998-0x000000006EBD0000-0x000000006ED4B000-memory.dmp

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

C:\ProgramData\Are.docx

MD5 a33e5b189842c5867f46566bdbf7a095
SHA1 e1c06359f6a76da90d19e8fd95e79c832edb3196
SHA256 5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454
SHA512 f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b