Malware Analysis Report

2024-10-18 23:35

Sample ID 240927-cbcsxayhpp
Target e7b520a3a7d70e9e99b32e44e2604a9a4b05a95964c3ef27054d00564d16ef5b.exe
SHA256 e7b520a3a7d70e9e99b32e44e2604a9a4b05a95964c3ef27054d00564d16ef5b
Tags
amadey lumma redline stealc 9c9aa5 @logscloudyt_bot default default2 fed3aa livetraffic newbundle2 save tg cloud @rlreborn admin @fatherofcarders credential_access discovery evasion infostealer persistence spyware stealer trojan asyncrat xworm collection execution rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e7b520a3a7d70e9e99b32e44e2604a9a4b05a95964c3ef27054d00564d16ef5b

Threat Level: Known bad

The file e7b520a3a7d70e9e99b32e44e2604a9a4b05a95964c3ef27054d00564d16ef5b.exe was found to be: Known bad.

Malicious Activity Summary

amadey lumma redline stealc 9c9aa5 @logscloudyt_bot default default2 fed3aa livetraffic newbundle2 save tg cloud @rlreborn admin @fatherofcarders credential_access discovery evasion infostealer persistence spyware stealer trojan asyncrat xworm collection execution rat

Xworm

Detect Xworm Payload

RedLine payload

Lumma Stealer, LummaC

AsyncRat

Stealc

Suspicious use of NtCreateUserProcessOtherParentProcess

Amadey

RedLine

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Command and Scripting Interpreter: PowerShell

Executes dropped EXE

Checks computer location settings

Unsecured Credentials: Credentials In Files

Identifies Wine through registry keys

Reads user/profile data of web browsers

Loads dropped DLL

Checks BIOS information in registry

Reads data files stored by FTP clients

Unexpected DNS network traffic destination

Adds Run key to start application

Accesses cryptocurrency files/wallets, possible credential harvesting

Accesses Microsoft Outlook profiles

Checks installed software on the system

Looks up external IP address via web service

Suspicious use of SetThreadContext

AutoIT Executable

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Program crash

System Network Configuration Discovery: Internet Connection Discovery

Browser Information Discovery

Enumerates physical storage devices

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of SetWindowsHookEx

outlook_office_path

Suspicious use of SendNotifyMessage

Modifies system certificate store

Suspicious use of WriteProcessMemory

Modifies data under HKEY_USERS

Enumerates system info in registry

Suspicious use of FindShellTrayWindow

Suspicious behavior: GetForegroundWindowSpam

Checks processor information in registry

Scheduled Task/Job: Scheduled Task

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious behavior: AddClipboardFormatListener

Runs ping.exe

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

outlook_win_path

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-27 01:53

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-27 01:53

Reported

2024-09-27 01:56

Platform

win7-20240903-en

Max time kernel

73s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e7b520a3a7d70e9e99b32e44e2604a9a4b05a95964c3ef27054d00564d16ef5b.exe"

Signatures

Amadey

trojan amadey

Lumma Stealer, LummaC

stealer lumma

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Stealc

stealer stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1000355001\3ed5e3433b.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1000023001\778aa7892a.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\1000026002\886e8d7e5d.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1000029001\8ee706b4b2.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\e7b520a3a7d70e9e99b32e44e2604a9a4b05a95964c3ef27054d00564d16ef5b.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1000354001\69a02d81a5.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\e7b520a3a7d70e9e99b32e44e2604a9a4b05a95964c3ef27054d00564d16ef5b.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1000355001\3ed5e3433b.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\1000026002\886e8d7e5d.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\1000026002\886e8d7e5d.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1000023001\778aa7892a.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1000023001\778aa7892a.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1000029001\8ee706b4b2.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1000029001\8ee706b4b2.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\e7b520a3a7d70e9e99b32e44e2604a9a4b05a95964c3ef27054d00564d16ef5b.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1000354001\69a02d81a5.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1000355001\3ed5e3433b.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1000354001\69a02d81a5.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000004001\12dsvc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\I5MugDbrfq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\q6NbZzYCo0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\stories.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-447OI.tmp\stories.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Fido Video Recorder\fidovideorecorder32_64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000191001\needmoney.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000254001\penis.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost015.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000290001\crypted.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000314001\LummaC222222.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000322001\newbundle2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000342001\rstxdhuj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000349001\cccc2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000354001\69a02d81a5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000355001\3ed5e3433b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000356001\neon.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000023001\778aa7892a.exe N/A
N/A N/A C:\Users\Admin\1000026002\886e8d7e5d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\e6f711455c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000029001\8ee706b4b2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\neon.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\neon.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1000023001\778aa7892a.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine C:\Users\Admin\1000026002\886e8d7e5d.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1000029001\8ee706b4b2.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\e7b520a3a7d70e9e99b32e44e2604a9a4b05a95964c3ef27054d00564d16ef5b.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1000354001\69a02d81a5.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1000355001\3ed5e3433b.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e7b520a3a7d70e9e99b32e44e2604a9a4b05a95964c3ef27054d00564d16ef5b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\stories.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-447OI.tmp\stories.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-447OI.tmp\stories.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-447OI.tmp\stories.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-447OI.tmp\stories.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000191001\needmoney.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000355001\3ed5e3433b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\neon.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Unexpected DNS network traffic destination

Description Indicator Process Target
Destination IP 45.155.250.90 N/A N/A

Unsecured Credentials: Credentials In Files

credential_access stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\886e8d7e5d.exe = "C:\\Users\\Admin\\1000026002\\886e8d7e5d.exe" C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\e6f711455c.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000028001\\e6f711455c.exe" C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\neon = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\neon.exe" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ylrdnrwcx = "C:\\Users\\Admin\\AppData\\Roaming\\Ylrdnrwcx.exe" C:\Users\Admin\AppData\Local\Temp\1000342001\rstxdhuj.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\69a02d81a5.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000354001\\69a02d81a5.exe" C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\3ed5e3433b.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000355001\\3ed5e3433b.exe" C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\778aa7892a.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000023001\\778aa7892a.exe" C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A

Checks installed software on the system

discovery

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\axplong.job C:\Users\Admin\AppData\Local\Temp\e7b520a3a7d70e9e99b32e44e2604a9a4b05a95964c3ef27054d00564d16ef5b.exe N/A
File created C:\Windows\Tasks\Hkbsse.job C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe N/A
File created C:\Windows\Tasks\skotes.job C:\Users\Admin\AppData\Local\Temp\1000355001\3ed5e3433b.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000349001\cccc2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e7b520a3a7d70e9e99b32e44e2604a9a4b05a95964c3ef27054d00564d16ef5b.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\I5MugDbrfq.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\q6NbZzYCo0.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000355001\3ed5e3433b.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\neon.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000065001\stories.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-447OI.tmp\stories.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000191001\needmoney.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000322001\newbundle2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\neon.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000004001\12dsvc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Fido Video Recorder\fidovideorecorder32_64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000254001\penis.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000342001\rstxdhuj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\svchost015.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000354001\69a02d81a5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\1000026002\886e8d7e5d.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000028001\e6f711455c.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000023001\778aa7892a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000290001\crypted.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000314001\LummaC222222.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\system32\PING.EXE N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 140000000100000014000000f352eacf816860c1097c4b852f4332dd93eb5d4f0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b0640f000000010000002000000020d814fd5fc477ce74425e441d8f5b48d38db6f1dd119441bc35777689bd094c20000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 C:\Users\Admin\AppData\Local\Temp\1000254001\penis.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 190000000100000010000000dbd91ea86008fd8536f2b37529666c7b0f000000010000002000000020d814fd5fc477ce74425e441d8f5b48d38db6f1dd119441bc35777689bd094c030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b0640200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e003000000000000b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f0072006900740079000000140000000100000014000000f352eacf816860c1097c4b852f4332dd93eb5d4f20000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 C:\Users\Admin\AppData\Local\Temp\1000254001\penis.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Roaming\I5MugDbrfq.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0f000000010000002000000020d814fd5fc477ce74425e441d8f5b48d38db6f1dd119441bc35777689bd094c030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b0640200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e003000000000000b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f007200690074007900000020000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 C:\Users\Admin\AppData\Local\Temp\1000254001\penis.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 C:\Users\Admin\AppData\Local\Temp\1000254001\penis.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 C:\Users\Admin\AppData\Roaming\I5MugDbrfq.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Roaming\I5MugDbrfq.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e7b520a3a7d70e9e99b32e44e2604a9a4b05a95964c3ef27054d00564d16ef5b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-447OI.tmp\stories.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-447OI.tmp\stories.tmp N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\q6NbZzYCo0.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\q6NbZzYCo0.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\q6NbZzYCo0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000254001\penis.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000342001\rstxdhuj.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000354001\69a02d81a5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000355001\3ed5e3433b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000322001\newbundle2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000322001\newbundle2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000356001\neon.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000356001\neon.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000322001\newbundle2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000023001\778aa7892a.exe N/A
N/A N/A C:\Users\Admin\1000026002\886e8d7e5d.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000029001\8ee706b4b2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000356001\neon.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000356001\neon.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000356001\neon.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000356001\neon.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000356001\neon.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000356001\neon.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000356001\neon.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000356001\neon.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000356001\neon.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000356001\neon.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000356001\neon.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\neon.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\neon.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\neon.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\neon.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000356001\neon.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000356001\neon.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\e6f711455c.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000254001\penis.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000254001\penis.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000254001\penis.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000254001\penis.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000254001\penis.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000254001\penis.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\q6NbZzYCo0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000342001\rstxdhuj.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000342001\rstxdhuj.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000356001\neon.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000322001\newbundle2.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\neon.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\neon.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e7b520a3a7d70e9e99b32e44e2604a9a4b05a95964c3ef27054d00564d16ef5b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-447OI.tmp\stories.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000355001\3ed5e3433b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\e6f711455c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\e6f711455c.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\e6f711455c.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\e6f711455c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\e6f711455c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\e6f711455c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\e6f711455c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\e6f711455c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\e6f711455c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\e6f711455c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\e6f711455c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\e6f711455c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\e6f711455c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\e6f711455c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\e6f711455c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\e6f711455c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\e6f711455c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\e6f711455c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\e6f711455c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\e6f711455c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\e6f711455c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\e6f711455c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\e6f711455c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\e6f711455c.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\e6f711455c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\e6f711455c.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\e6f711455c.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\e6f711455c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\e6f711455c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\e6f711455c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\e6f711455c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\e6f711455c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\e6f711455c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\e6f711455c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\e6f711455c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\e6f711455c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\e6f711455c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\e6f711455c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\e6f711455c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\e6f711455c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\e6f711455c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\e6f711455c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\e6f711455c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\e6f711455c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\e6f711455c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\e6f711455c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\e6f711455c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\e6f711455c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\e6f711455c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\e6f711455c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\e6f711455c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\e6f711455c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\e6f711455c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\e6f711455c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\e6f711455c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\e6f711455c.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2516 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\e7b520a3a7d70e9e99b32e44e2604a9a4b05a95964c3ef27054d00564d16ef5b.exe C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
PID 2516 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\e7b520a3a7d70e9e99b32e44e2604a9a4b05a95964c3ef27054d00564d16ef5b.exe C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
PID 2516 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\e7b520a3a7d70e9e99b32e44e2604a9a4b05a95964c3ef27054d00564d16ef5b.exe C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
PID 2516 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\e7b520a3a7d70e9e99b32e44e2604a9a4b05a95964c3ef27054d00564d16ef5b.exe C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
PID 2724 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe
PID 2724 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe
PID 2724 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe
PID 2724 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe
PID 560 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 560 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 560 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 560 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 560 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 560 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 560 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 560 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 560 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 560 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 560 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 560 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2724 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000004001\12dsvc.exe
PID 2724 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000004001\12dsvc.exe
PID 2724 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000004001\12dsvc.exe
PID 2724 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000004001\12dsvc.exe
PID 2088 wrote to memory of 996 N/A C:\Users\Admin\AppData\Local\Temp\1000004001\12dsvc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2088 wrote to memory of 996 N/A C:\Users\Admin\AppData\Local\Temp\1000004001\12dsvc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2088 wrote to memory of 996 N/A C:\Users\Admin\AppData\Local\Temp\1000004001\12dsvc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2088 wrote to memory of 996 N/A C:\Users\Admin\AppData\Local\Temp\1000004001\12dsvc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2088 wrote to memory of 996 N/A C:\Users\Admin\AppData\Local\Temp\1000004001\12dsvc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2088 wrote to memory of 996 N/A C:\Users\Admin\AppData\Local\Temp\1000004001\12dsvc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2088 wrote to memory of 996 N/A C:\Users\Admin\AppData\Local\Temp\1000004001\12dsvc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2088 wrote to memory of 996 N/A C:\Users\Admin\AppData\Local\Temp\1000004001\12dsvc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2088 wrote to memory of 996 N/A C:\Users\Admin\AppData\Local\Temp\1000004001\12dsvc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2088 wrote to memory of 996 N/A C:\Users\Admin\AppData\Local\Temp\1000004001\12dsvc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2088 wrote to memory of 996 N/A C:\Users\Admin\AppData\Local\Temp\1000004001\12dsvc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2088 wrote to memory of 996 N/A C:\Users\Admin\AppData\Local\Temp\1000004001\12dsvc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2088 wrote to memory of 996 N/A C:\Users\Admin\AppData\Local\Temp\1000004001\12dsvc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2088 wrote to memory of 996 N/A C:\Users\Admin\AppData\Local\Temp\1000004001\12dsvc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2724 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe
PID 2724 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe
PID 2724 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe
PID 2724 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe
PID 996 wrote to memory of 2784 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Roaming\I5MugDbrfq.exe
PID 996 wrote to memory of 2784 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Roaming\I5MugDbrfq.exe
PID 996 wrote to memory of 2784 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Roaming\I5MugDbrfq.exe
PID 996 wrote to memory of 2784 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Roaming\I5MugDbrfq.exe
PID 996 wrote to memory of 936 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Roaming\q6NbZzYCo0.exe
PID 996 wrote to memory of 936 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Roaming\q6NbZzYCo0.exe
PID 996 wrote to memory of 936 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Roaming\q6NbZzYCo0.exe
PID 996 wrote to memory of 936 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Roaming\q6NbZzYCo0.exe
PID 1100 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
PID 1100 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
PID 1100 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
PID 1100 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
PID 2724 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe
PID 2724 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe
PID 2724 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe
PID 2724 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe
PID 2572 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe C:\Users\Admin\AppData\Local\Temp\1000065001\stories.exe
PID 2572 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe C:\Users\Admin\AppData\Local\Temp\1000065001\stories.exe
PID 2572 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe C:\Users\Admin\AppData\Local\Temp\1000065001\stories.exe
PID 2572 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe C:\Users\Admin\AppData\Local\Temp\1000065001\stories.exe
PID 2860 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\1000065001\stories.exe C:\Users\Admin\AppData\Local\Temp\is-447OI.tmp\stories.tmp
PID 2860 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\1000065001\stories.exe C:\Users\Admin\AppData\Local\Temp\is-447OI.tmp\stories.tmp

Processes

C:\Users\Admin\AppData\Local\Temp\e7b520a3a7d70e9e99b32e44e2604a9a4b05a95964c3ef27054d00564d16ef5b.exe

"C:\Users\Admin\AppData\Local\Temp\e7b520a3a7d70e9e99b32e44e2604a9a4b05a95964c3ef27054d00564d16ef5b.exe"

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

"C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"

C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe

"C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000004001\12dsvc.exe

"C:\Users\Admin\AppData\Local\Temp\1000004001\12dsvc.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe

"C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe"

C:\Users\Admin\AppData\Roaming\I5MugDbrfq.exe

"C:\Users\Admin\AppData\Roaming\I5MugDbrfq.exe"

C:\Users\Admin\AppData\Roaming\q6NbZzYCo0.exe

"C:\Users\Admin\AppData\Roaming\q6NbZzYCo0.exe"

C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe

"C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe"

C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe

"C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe"

C:\Users\Admin\AppData\Local\Temp\1000065001\stories.exe

"C:\Users\Admin\AppData\Local\Temp\1000065001\stories.exe"

C:\Users\Admin\AppData\Local\Temp\is-447OI.tmp\stories.tmp

"C:\Users\Admin\AppData\Local\Temp\is-447OI.tmp\stories.tmp" /SL5="$A0120,2980754,56832,C:\Users\Admin\AppData\Local\Temp\1000065001\stories.exe"

C:\Users\Admin\AppData\Local\Fido Video Recorder\fidovideorecorder32_64.exe

"C:\Users\Admin\AppData\Local\Fido Video Recorder\fidovideorecorder32_64.exe" -i

C:\Users\Admin\AppData\Local\Temp\1000191001\needmoney.exe

"C:\Users\Admin\AppData\Local\Temp\1000191001\needmoney.exe"

C:\Users\Admin\AppData\Local\Temp\1000254001\penis.exe

"C:\Users\Admin\AppData\Local\Temp\1000254001\penis.exe"

C:\Users\Admin\AppData\Local\Temp\svchost015.exe

C:\Users\Admin\AppData\Local\Temp\svchost015.exe

C:\Users\Admin\AppData\Local\Temp\1000290001\crypted.exe

"C:\Users\Admin\AppData\Local\Temp\1000290001\crypted.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000314001\LummaC222222.exe

"C:\Users\Admin\AppData\Local\Temp\1000314001\LummaC222222.exe"

C:\Users\Admin\AppData\Local\Temp\1000322001\newbundle2.exe

"C:\Users\Admin\AppData\Local\Temp\1000322001\newbundle2.exe"

C:\Users\Admin\AppData\Local\Temp\1000342001\rstxdhuj.exe

"C:\Users\Admin\AppData\Local\Temp\1000342001\rstxdhuj.exe"

C:\Users\Admin\AppData\Local\Temp\1000349001\cccc2.exe

"C:\Users\Admin\AppData\Local\Temp\1000349001\cccc2.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 496 -s 796

C:\Users\Admin\AppData\Local\Temp\1000354001\69a02d81a5.exe

"C:\Users\Admin\AppData\Local\Temp\1000354001\69a02d81a5.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000355001\3ed5e3433b.exe

"C:\Users\Admin\AppData\Local\Temp\1000355001\3ed5e3433b.exe"

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"

C:\Users\Admin\AppData\Local\Temp\1000356001\neon.exe

"C:\Users\Admin\AppData\Local\Temp\1000356001\neon.exe"

C:\Users\Admin\AppData\Local\Temp\1000023001\778aa7892a.exe

"C:\Users\Admin\AppData\Local\Temp\1000023001\778aa7892a.exe"

C:\Users\Admin\1000026002\886e8d7e5d.exe

"C:\Users\Admin\1000026002\886e8d7e5d.exe"

C:\Users\Admin\AppData\Local\Temp\1000028001\e6f711455c.exe

"C:\Users\Admin\AppData\Local\Temp\1000028001\e6f711455c.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef13b9758,0x7fef13b9768,0x7fef13b9778

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1144 --field-trial-handle=1280,i,9786879479554557843,7094976770741426121,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1484 --field-trial-handle=1280,i,9786879479554557843,7094976770741426121,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1560 --field-trial-handle=1280,i,9786879479554557843,7094976770741426121,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2284 --field-trial-handle=1280,i,9786879479554557843,7094976770741426121,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2292 --field-trial-handle=1280,i,9786879479554557843,7094976770741426121,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1132 --field-trial-handle=1280,i,9786879479554557843,7094976770741426121,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3008 --field-trial-handle=1280,i,9786879479554557843,7094976770741426121,131072 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\1000029001\8ee706b4b2.exe

"C:\Users\Admin\AppData\Local\Temp\1000029001\8ee706b4b2.exe"

C:\Windows\system32\cmd.exe

"cmd" /c ping 127.0.0.1 -n 8 > nul && REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "neon" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\neon.exe"

C:\Windows\system32\PING.EXE

ping 127.0.0.1 -n 8

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2488 --field-trial-handle=1280,i,9786879479554557843,7094976770741426121,131072 /prefetch:8

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"

C:\Windows\system32\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "neon" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\neon.exe"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"

C:\Users\Admin\AppData\Local\Temp\neon.exe

"C:\Users\Admin\AppData\Local\Temp\neon.exe"

C:\Users\Admin\AppData\Local\Temp\neon.exe

"C:\Users\Admin\AppData\Local\Temp\neon.exe"

Network

Country Destination Domain Proto
RU 185.215.113.16:80 185.215.113.16 tcp
RU 185.215.113.117:80 185.215.113.117 tcp
NL 194.116.215.195:80 194.116.215.195 tcp
DE 95.179.250.45:26212 tcp
RU 185.215.113.26:80 185.215.113.26 tcp
FI 65.21.18.51:45580 tcp
RU 185.215.113.26:80 185.215.113.26 tcp
RU 176.113.115.95:80 176.113.115.95 tcp
RU 185.215.113.17:80 185.215.113.17 tcp
NL 89.105.223.196:29862 tcp
FI 95.216.143.20:12695 tcp
US 8.8.8.8:53 lootebarrkeyn.shop udp
US 8.8.8.8:53 gutterydhowi.shop udp
US 172.67.132.32:443 gutterydhowi.shop tcp
US 8.8.8.8:53 ghostreedmnu.shop udp
US 172.67.142.10:443 ghostreedmnu.shop tcp
US 8.8.8.8:53 offensivedzvju.shop udp
US 172.67.197.172:443 offensivedzvju.shop tcp
RU 185.215.113.67:15206 tcp
US 8.8.8.8:53 vozmeatillu.shop udp
US 104.21.60.251:443 vozmeatillu.shop tcp
US 8.8.8.8:53 drawzhotdog.shop udp
US 172.67.162.108:443 drawzhotdog.shop tcp
US 8.8.8.8:53 fragnantbui.shop udp
US 172.67.195.251:443 fragnantbui.shop tcp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 stogeneratmns.shop udp
US 104.21.58.102:443 stogeneratmns.shop tcp
US 8.8.8.8:53 reinforcenh.shop udp
US 172.67.208.139:443 reinforcenh.shop tcp
US 8.8.8.8:53 steamcommunity.com udp
GB 104.82.234.109:443 steamcommunity.com tcp
TM 91.202.233.158:80 91.202.233.158 tcp
US 8.8.8.8:53 ballotnwu.site udp
US 104.21.2.13:443 ballotnwu.site tcp
RU 185.215.113.103:80 185.215.113.103 tcp
US 172.67.162.108:443 drawzhotdog.shop tcp
RU 185.215.113.37:80 185.215.113.37 tcp
US 172.67.132.32:443 gutterydhowi.shop tcp
US 172.67.142.10:443 ghostreedmnu.shop tcp
US 172.67.197.172:443 offensivedzvju.shop tcp
US 104.21.60.251:443 vozmeatillu.shop tcp
US 172.67.195.251:443 fragnantbui.shop tcp
US 104.21.58.102:443 stogeneratmns.shop tcp
US 172.67.208.139:443 reinforcenh.shop tcp
GB 104.82.234.109:443 steamcommunity.com tcp
US 104.21.2.13:443 ballotnwu.site tcp
RU 185.215.113.43:80 185.215.113.43 tcp
US 8.8.8.8:53 racedsuitreow.shop udp
US 8.8.8.8:53 defenddsouneuw.shop udp
US 104.21.26.56:443 defenddsouneuw.shop tcp
RU 185.215.113.37:80 185.215.113.37 tcp
RU 185.215.113.37:80 185.215.113.37 tcp
RU 185.215.113.103:80 185.215.113.103 tcp
US 8.8.8.8:53 youtube.com udp
GB 142.250.180.14:443 youtube.com tcp
US 8.8.8.8:53 youtube.com udp
RU 185.215.113.16:80 185.215.113.16 tcp
GB 142.250.180.14:443 youtube.com tcp
US 8.8.8.8:53 www.youtube.com udp
US 8.8.8.8:53 consent.youtube.com udp
GB 142.250.178.14:443 consent.youtube.com tcp
US 8.8.8.8:53 www.google.com udp
GB 142.250.187.228:443 www.google.com udp
GB 142.250.187.228:443 www.google.com tcp
N/A 224.0.0.251:5353 udp
GB 142.250.178.14:443 consent.youtube.com udp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 beacons.gcp.gvt2.com udp
GB 172.217.169.67:443 beacons.gcp.gvt2.com tcp
GB 142.250.178.14:443 play.google.com udp
SE 45.155.250.90:53 csbqlvu.net udp
US 185.208.158.248:80 csbqlvu.net tcp
NL 89.105.201.183:2023 tcp

Files

memory/2516-0-0x0000000000010000-0x00000000004B9000-memory.dmp

memory/2516-1-0x0000000076F50000-0x0000000076F52000-memory.dmp

memory/2516-2-0x0000000000011000-0x000000000003F000-memory.dmp

memory/2516-3-0x0000000000010000-0x00000000004B9000-memory.dmp

memory/2516-5-0x0000000000010000-0x00000000004B9000-memory.dmp

memory/2516-10-0x0000000000010000-0x00000000004B9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

MD5 a3a83347ae8fcdee6ec20f6ba13311c9
SHA1 c9da81cfc77925b9d7039a960adb5aabd5596128
SHA256 e7b520a3a7d70e9e99b32e44e2604a9a4b05a95964c3ef27054d00564d16ef5b
SHA512 ea4766909dd8314d430b15f097856fd26cf9584c488f8f8f26856fdddf76c9da879730ce292ba52cd8beedb6f02d3189265cc09cbc6942e5e8f50f692688013c

memory/2516-18-0x0000000000010000-0x00000000004B9000-memory.dmp

memory/2724-16-0x0000000000B30000-0x0000000000FD9000-memory.dmp

memory/2516-15-0x0000000006C50000-0x00000000070F9000-memory.dmp

memory/2724-19-0x0000000000B31000-0x0000000000B5F000-memory.dmp

memory/2724-20-0x0000000000B30000-0x0000000000FD9000-memory.dmp

memory/2724-21-0x0000000000B30000-0x0000000000FD9000-memory.dmp

memory/2724-24-0x0000000000B30000-0x0000000000FD9000-memory.dmp

memory/2724-23-0x0000000000B30000-0x0000000000FD9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe

MD5 389881b424cf4d7ec66de13f01c7232a
SHA1 d3bc5a793c1b8910e1ecc762b69b3866e4c5ba78
SHA256 9d1211b3869ca43840b7da1677b257ad37521aab47719c6fcfe343121760b746
SHA512 2b9517d5d9d972e8754a08863a29e3d3e3cfde58e20d433c85546c2298aad50ac8b069cafd5abb3c86e24263d662c6e1ea23c0745a2668dfd215ddbdfbd1ab96

memory/560-39-0x00000000002C0000-0x0000000000314000-memory.dmp

memory/3036-42-0x0000000000400000-0x0000000000452000-memory.dmp

memory/3036-44-0x0000000000400000-0x0000000000452000-memory.dmp

memory/3036-54-0x0000000000400000-0x0000000000452000-memory.dmp

memory/3036-53-0x0000000000400000-0x0000000000452000-memory.dmp

memory/3036-48-0x0000000000400000-0x0000000000452000-memory.dmp

memory/3036-46-0x0000000000400000-0x0000000000452000-memory.dmp

memory/3036-51-0x0000000000400000-0x0000000000452000-memory.dmp

memory/3036-50-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TmpB858.tmp

MD5 1420d30f964eac2c85b2ccfe968eebce
SHA1 bdf9a6876578a3e38079c4f8cf5d6c79687ad750
SHA256 f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9
SHA512 6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

C:\Users\Admin\AppData\Local\Temp\1000004001\12dsvc.exe

MD5 84263ab03b0a0f2b51cc11b93ec49c9f
SHA1 e6457eb0e0131bec70a2fd4d4a943314f0bd28d4
SHA256 7d6e4e01c452dd502361640ee095e2bee35e3f55fd11edc9e94c3580d2c132b5
SHA512 db35a02345b5166077e300524675c523a8b4082fa62fc151c0797141348cae5e173eeaec5ad1e95556e048ea6ed34a78b90b1184420557c53cd91f351417ebb2

memory/2088-82-0x0000000000E20000-0x0000000000F02000-memory.dmp

memory/2724-83-0x0000000000B30000-0x0000000000FD9000-memory.dmp

memory/996-93-0x0000000000400000-0x00000000004DE000-memory.dmp

memory/996-98-0x0000000000400000-0x00000000004DE000-memory.dmp

memory/996-102-0x0000000000400000-0x00000000004DE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe

MD5 f5d7b79ee6b6da6b50e536030bcc3b59
SHA1 751b555a8eede96d55395290f60adc43b28ba5e2
SHA256 2f1aff28961ba0ce85ea0e35b8936bc387f84f459a4a1d63d964ce79e34b8459
SHA512 532b17cd2a6ac5172b1ddba1e63edd51ab53a4527204415241e3a78e8ffeb9728071bde5ae1eefabefd2627f00963f8a5458668cd7b8df041c8683252ff56b46

memory/996-99-0x0000000000400000-0x00000000004DE000-memory.dmp

memory/996-95-0x0000000000400000-0x00000000004DE000-memory.dmp

memory/996-101-0x0000000000400000-0x00000000004DE000-memory.dmp

memory/996-91-0x0000000000400000-0x00000000004DE000-memory.dmp

memory/996-89-0x0000000000400000-0x00000000004DE000-memory.dmp

memory/996-87-0x0000000000400000-0x00000000004DE000-memory.dmp

memory/996-85-0x0000000000400000-0x00000000004DE000-memory.dmp

\Users\Admin\AppData\Roaming\q6NbZzYCo0.exe

MD5 4e60f3fd76d9eab244f9dc00f7765b0b
SHA1 1a154d6e837e7105c551793131cde89f157c4330
SHA256 d6945846cc23c01b9c9ad2b97d35b5a14c01f1a4cc2ec651a596f06777ba4fec
SHA512 44727e25781f448579ac35aab94aff550ed9fe5ac58d95bd394569c62892dc78216ac687baa43cef66187ebe629f5dd9cd63ea274222d11dbef3440ec4d7f77a

memory/996-131-0x0000000000400000-0x00000000004DE000-memory.dmp

C:\Users\Admin\AppData\Roaming\I5MugDbrfq.exe

MD5 a3ef9920a91b891837705e46bb26de17
SHA1 9cfbcd0f46ec86fb57d3d6d74a064f9098adf117
SHA256 171cef885f6c285e995ce3ec5960c5ea4e4ed049cec362745058fee39e4136cc
SHA512 c65e91091b95c3aba0af7df4ed6543d26bcb5b54d6fab82f9d2ac1ba156f475f98124a1a0e8851d69be23b1dc945c76c075cd32515203273260802e1224dbd6e

memory/936-134-0x0000000000980000-0x00000000009D2000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-4177215427-74451935-3209572229-1000\76b53b3ec448f7ccdda2063b15d2bfc3_bf99bef1-312f-4726-8597-70228ef05e99

MD5 9f7508965ee73e000ac40517e1a8f636
SHA1 000df153ccbaed2ad61d122d688bf44db6c1487f
SHA256 2e30f5068d322130b6d924d490dd817d01f534867ab7cbbad0796e0ae8760e26
SHA512 9b2a4fa04c0f1b708b615c8cc86dfae3da88288ba1305d0413f898be4f141532732be65674fc41743d2cf4321ac2c195f7e71cd90e78f8828c0194212f29e7f5

C:\Users\Public\Desktop\Google Chrome.lnk

MD5 866be56d61eec062cf6a88f5473f4afb
SHA1 011f184a66b0e41c1328c5137e6255f155495fc6
SHA256 ccc7d3fc2190d3d23160b60225cc231ef619d46fc752284b655c727e851fdb6a
SHA512 7a879cd58e1acf4120ff4a4d7f1f592c48d96f65cddb59752c4baf7b486c5b59bf5c0cc4321d1582bb3968d91c0148aa40360fab7e52e39c867922f826a6ee54

C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe

MD5 7a02aa17200aeac25a375f290a4b4c95
SHA1 7cc94ca64268a9a9451fb6b682be42374afc22fd
SHA256 836799fd760eba25e15a55c75c50b977945c557065a708317e00f2c8f965339e
SHA512 f6ebfe7e087aa354722cea3fddd99b1883a862fb92bb5a5a86782ea846a1bff022ab7db4397930bcabaa05cb3d817de3a89331d41a565bc1da737f2c5e3720b6

memory/2724-177-0x0000000000B30000-0x0000000000FD9000-memory.dmp

memory/2724-178-0x00000000064B0000-0x00000000066F3000-memory.dmp

memory/1076-181-0x0000000000F90000-0x00000000011D3000-memory.dmp

memory/2724-180-0x00000000064B0000-0x00000000066F3000-memory.dmp

memory/2724-179-0x0000000000B30000-0x0000000000FD9000-memory.dmp

memory/2724-182-0x0000000000B30000-0x0000000000FD9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000065001\stories.exe

MD5 bb4417d907e43503f714273f1ae9cf44
SHA1 973ff5333f859fcf8fd7281509a9bd19d155d82c
SHA256 a1a117e8110faca90e94f5edd93e0ad4a5d7f49485e30bfa332db573464c7908
SHA512 ab80a72c2e805052084ffc360d9189db4f5f5797c36ade71d09a951843455d936fcff18e85819b48dba82332f142b34c26320f8d1ce8df08874829b276bc3018

memory/2860-198-0x0000000000400000-0x0000000000414000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-FQVRG.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

\Users\Admin\AppData\Local\Temp\is-FQVRG.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

C:\Users\Admin\AppData\Local\Temp\is-447OI.tmp\stories.tmp

MD5 c8afa039fc2a7f032512686fb50692df
SHA1 3fce9102949fa0fac312574e6d3756f26735c000
SHA256 123e40b411ba32e768103090c2eb1c3b874f2c933f7e9f30717185b41f232332
SHA512 f185aa5a85570dd2172752d59278fd6b2b61dba48890deb48ec2803f3e3e10573cf600ee91f1af1a77b56f2f44a52b16873ba5e6df2d85c097c16d8ebac98666

memory/1076-215-0x0000000061E00000-0x0000000061EF3000-memory.dmp

\Users\Admin\AppData\Local\Fido Video Recorder\fidovideorecorder32_64.exe

MD5 b19555358f3c9abc6157b2b7aab2f658
SHA1 177fda0d1d0444e6cf1ca8a915f5f2212bd092e1
SHA256 2b0062e5ef0c0bbc9034ba09296f47b26dd0528dd8131dccfd10009a516b1104
SHA512 6bff37eb0c5617fab6512c9a31e701f04abfe1b5eb1fa70b93c83de9a118e434ecb1f49c6e7baf5335ae32d8b04b296835f028ca8eee7858c11a4797e07d64b0

memory/596-262-0x0000000000400000-0x00000000006FC000-memory.dmp

memory/3040-260-0x0000000003CA0000-0x0000000003F9C000-memory.dmp

memory/596-271-0x0000000000400000-0x00000000006FC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000191001\needmoney.exe

MD5 7fa5c660d124162c405984d14042506f
SHA1 69f0dff06ff1911b97a2a0aa4ca9046b722c6b2f
SHA256 fd3edfaff77dd969e3e0d086495e4c742d00e111df9f935ed61dfba8392584b2
SHA512 d50848adbfe75f509414acc97096dad191ae4cef54752bdddcb227ffc0f59bfd2770561e7b3c2a14f4a1423215f05847206ad5c242c7fd5b0655edf513b22f6c

C:\Users\Admin\AppData\Local\Temp\1000254001\penis.exe

MD5 a21700718c70ec5e787ad373cb72a757
SHA1 027554ab5ff3245e7617f3b83d6548bf7919f92e
SHA256 87e639ecc7704cb5e29f1ebb1d8ade3ae863aaa2505a37b28f2d45121da500c6
SHA512 ea292a5442d9fe536e650a2bc5142dd3aef79c66930243897e0e87c57915f0a54e45e03e58daffb473f85fe10b963d4670050bff5ab3f91121d21d463e25659b

memory/952-307-0x00000000000D0000-0x000000000013C000-memory.dmp

\Users\Admin\AppData\Local\Temp\svchost015.exe

MD5 b826dd92d78ea2526e465a34324ebeea
SHA1 bf8a0093acfd2eb93c102e1a5745fb080575372e
SHA256 7824b50acdd144764dac7445a4067b35cf0fef619e451045ab6c1f54f5653a5b
SHA512 1ac4b731b9b31cabf3b1c43aee37206aee5326c8e786abe2ab38e031633b778f97f2d6545cf745c3066f3bd47b7aaf2ded2f9955475428100eaf271dd9aeef17

memory/2084-312-0x0000000000400000-0x0000000000643000-memory.dmp

memory/408-326-0x0000000000400000-0x000000000081B000-memory.dmp

memory/2084-325-0x0000000000400000-0x0000000000643000-memory.dmp

memory/2084-324-0x0000000000400000-0x0000000000643000-memory.dmp

memory/2084-322-0x0000000000400000-0x0000000000643000-memory.dmp

memory/2084-320-0x0000000000400000-0x0000000000643000-memory.dmp

memory/2084-318-0x0000000000400000-0x0000000000643000-memory.dmp

memory/2084-316-0x0000000000400000-0x0000000000643000-memory.dmp

memory/2084-314-0x0000000000400000-0x0000000000643000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000290001\crypted.exe

MD5 ff5afed0a8b802d74af1c1422c720446
SHA1 7135acfa641a873cb0c4c37afc49266bfeec91d8
SHA256 17ac37b4946539fa7fa68b12bd80946d340497a7971802b5848830ad99ea1e10
SHA512 11724d26e11b3146e0fc947c06c59c004c015de0afea24ec28a4eb8145fcd51e9b70007e17621c83f406d9aeb7cd96601245671d41c3fcc88a27c33bd7cf55ac

memory/2176-341-0x00000000009A0000-0x00000000009F4000-memory.dmp

memory/1108-345-0x0000000000400000-0x0000000000452000-memory.dmp

memory/1108-355-0x0000000000400000-0x0000000000452000-memory.dmp

\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

C:\Users\Admin\AppData\Local\Temp\CabEC16.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarECB5.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\Local\Temp\1000314001\LummaC222222.exe

MD5 2f1d09f64218fffe7243a8b44345b27e
SHA1 72553e1b3a759c17f54e7b568f39b3f8f1b1cdbe
SHA256 4a553c39728410eb0ebd5e530fc47ef1bdf4b11848a69889e8301974fc26cde2
SHA512 5871e2925ca8375f3c3ce368c05eb67796e1fbec80649d3cc9c39b57ee33f46476d38d3ea8335e2f5518c79f27411a568209f9f6ef38a56650c7436bbaa3f909

C:\Users\Admin\AppData\Local\Temp\1000322001\newbundle2.exe

MD5 58e8b2eb19704c5a59350d4ff92e5ab6
SHA1 171fc96dda05e7d275ec42840746258217d9caf0
SHA256 07d4b7768e13d79ac5f05f81167b29bb6fbf97828a289d8d11eec38939846834
SHA512 e7655762c5f2d10ec246d11f82d437a2717ad05be847b5e0fd055e3241caaca85430f424055b343e3a44c90d76a0ba07a6913c2208f374f59b61f8aa4477889f

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-4177215427-74451935-3209572229-1000\76b53b3ec448f7ccdda2063b15d2bfc3_bf99bef1-312f-4726-8597-70228ef05e99

MD5 ea2a2567ed4bafb7cef79b36179b873c
SHA1 5af1228367ca68169c71849fdb3493d3d6bbf62e
SHA256 07f8784043df1a9f111955266b7e74e449b296b7ed21f69d27b68872077eeb96
SHA512 b63b084d17f7cca8a6a867d0486c511580262577ec712a0d22aa807858adad56c018211b19b288216688d97b49372a7f7c5e0aea3bc304d749f60e0099fa6543

memory/1800-447-0x0000000000F80000-0x0000000000FD2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000342001\rstxdhuj.exe

MD5 1ef39c8bc5799aa381fe093a1f2d532a
SHA1 57eabb02a7c43c9682988227dd470734cc75edb2
SHA256 0cced5b50789fca3ad4b2c151b798363d712da04c377bd704dcef4898e66b2b4
SHA512 13a9c267c4ceb2bd176f1339faa035ffeb08936deeeb4e38252ea43cfe487ea1c1876e4cc2a965548e767af02805a1da62885e6538da056be0c6fae33b637682

memory/496-476-0x0000000000C00000-0x0000000000CF8000-memory.dmp

memory/1076-477-0x0000000000F90000-0x00000000011D3000-memory.dmp

memory/496-478-0x00000000050B0000-0x000000000519E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000349001\cccc2.exe

MD5 6b470f7251aa9c14d7daea8f6446e217
SHA1 a256c54d4dd7e0a7a1582d8fdfef5807bc3c4af4
SHA256 8b9097b795d42c49c3b2c560714226361671a3f1d711faa9aeaee20e22e7095f
SHA512 fdc553c9d2ff19343dd99b0b34c875752df4fa0cbd494096aeb51d859bd102448f1a5043a53a808045ae52077f180546a134b1aa69db4dc04aff2610fadeaca4

memory/496-1574-0x0000000004260000-0x00000000042AC000-memory.dmp

memory/496-1573-0x00000000048D0000-0x0000000004938000-memory.dmp

memory/5544-1595-0x00000000009C0000-0x0000000000A20000-memory.dmp

memory/496-1596-0x0000000004860000-0x00000000048B4000-memory.dmp

memory/2084-1610-0x0000000000400000-0x0000000000643000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000354001\69a02d81a5.exe

MD5 904925a03f5e62b7b67ee30d22e9c7cf
SHA1 acec73d1e47b2dddf74addc3529345254135062f
SHA256 d5f6c82d696b68c10f33762a2fd0628afd233b0d07c99654b186f699446d990b
SHA512 688660f97c278e2fad8167af3c75ccf41e432d7962f0ea242b01d410026541fb140f723a1a42622515c987b692e207c79eb83493cce7ba73f189cf83e2a4fea3

memory/2724-1624-0x0000000006AD0000-0x0000000007169000-memory.dmp

memory/5864-1626-0x0000000001210000-0x00000000018A9000-memory.dmp

memory/2724-1625-0x0000000006AD0000-0x0000000007169000-memory.dmp

memory/5864-1646-0x0000000001210000-0x00000000018A9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000355001\3ed5e3433b.exe

MD5 3221f7253640482f98a937d9ffe96317
SHA1 fa2773e5719df896ebd0d701764333b09cfeeadf
SHA256 66a6260f8ae8ef262d856928203a32e8a4da0c21e9425651df0586ff734d70e0
SHA512 9f50a9b722fa2abfc7289789c22c4a8c653f802f993f3f4ea6a47f7a942ff8a82dccc8a050d6c448401c9ef054aa082e75a53981864e92924201e5b107bc3d65

memory/2724-1658-0x0000000006AD0000-0x0000000006F68000-memory.dmp

memory/2340-1659-0x0000000000D00000-0x0000000001198000-memory.dmp

memory/2340-1668-0x0000000000D00000-0x0000000001198000-memory.dmp

memory/1680-1669-0x0000000000940000-0x0000000000DD8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000356001\neon.exe

MD5 b3fd0e1003b1cd38402b6d32829f6135
SHA1 c9cedd6322fb83457f56b64b4624b07e2786f702
SHA256 e4a36be98f730d706d2ca97a5d687329a1cc7d4848daf698b7e21b6b9b577f31
SHA512 04692e0f80a75f78b533677cefe3db6607108abf19963d88e231925cfa13f1ec054811aebe53c82d238e732a999cd8d176107d50cf2ea5694d4177cbfd3b30f1

memory/3400-1691-0x0000000000A90000-0x0000000000E0C000-memory.dmp

memory/3400-1695-0x0000000022510000-0x00000000225AE000-memory.dmp

memory/2724-1701-0x0000000006AD0000-0x0000000007169000-memory.dmp

memory/2724-1714-0x0000000006AD0000-0x0000000007169000-memory.dmp

memory/2724-1718-0x0000000006AD0000-0x0000000006F68000-memory.dmp

memory/1680-1715-0x00000000069B0000-0x0000000007049000-memory.dmp

memory/3508-1719-0x00000000013A0000-0x0000000001A39000-memory.dmp

memory/1680-1716-0x00000000069B0000-0x0000000007049000-memory.dmp

memory/3508-1721-0x00000000013A0000-0x0000000001A39000-memory.dmp

memory/1680-1729-0x0000000000940000-0x0000000000DD8000-memory.dmp

memory/1680-1736-0x00000000069B0000-0x0000000007049000-memory.dmp

memory/1680-1735-0x00000000069B0000-0x0000000007049000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000028001\e6f711455c.exe

MD5 79fda08d6cd311927c7d0eaed959553f
SHA1 4dfd21288d26ee265c3abba5d2e71963c32a4c29
SHA256 e68516f813a07bcdeb64d70caac4f382e7f3026a7639baa913f6e86256a35970
SHA512 110d187be4b9630ee07994b7087195e0b939d31872e0da63f403ebd706f14a64c7784d3a3068cbdeb864131c551423208c77b0e6a58ae01879c5e3b6bed0acd8

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

MD5 18e723571b00fb1694a3bad6c78e4054
SHA1 afcc0ef32d46fe59e0483f9a3c891d3034d12f32
SHA256 8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa
SHA512 43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

MD5 f50f89a0a91564d0b8a211f8921aa7de
SHA1 112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256 b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512 bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

memory/1680-1797-0x00000000069B0000-0x0000000007049000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000029001\8ee706b4b2.exe

MD5 5e8202d139d4f31cf0637105bfb93fcc
SHA1 7a73d8aed5a165c4a4db627c753ae092a6407de2
SHA256 8278c069e0fd88b41b19cf1d85fdc26cbf6947716f53a72491cb4792c20a3c56
SHA512 0a5230e4d1b698dace5b010ab9f58f7e669b447ecb109dbf7f56a1176138146d50cbe2d89f5d4fd8166b64545f6556e613f47cc1ef77726698f89ceab96e6ccf

memory/1680-1831-0x00000000069B0000-0x0000000007049000-memory.dmp

memory/3400-1832-0x00000000242D0000-0x00000000242EA000-memory.dmp

memory/3400-1836-0x0000000023080000-0x0000000023086000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

MD5 aefd77f47fb84fae5ea194496b44c67a
SHA1 dcfbb6a5b8d05662c4858664f81693bb7f803b82
SHA256 4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611
SHA512 b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

memory/5672-1926-0x00000000001E0000-0x00000000001FA000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\b5bc618f-5175-496d-92fe-5f134c794c01.tmp

MD5 62181a1db7bdb519371eaba240516e1f
SHA1 a2661d07b56266d231bb5baf88c787bb3359da96
SHA256 81539afd65290094a57c00acc957800f6779776233f55e292991eaf9c05e03e8
SHA512 7d68c046d3174f27449309a5c6b233ea6655f7688f149d7052cfc7b90e18cf2dc9966b2648f7dd6142245e52f50bcfc5309fb6ffda4dd1e48dd8514edd86300a

memory/2724-1957-0x00000000064B0000-0x00000000066F3000-memory.dmp

memory/2724-1959-0x00000000064B0000-0x00000000066F3000-memory.dmp

memory/3040-1960-0x0000000003CA0000-0x0000000003F9C000-memory.dmp

memory/596-1961-0x0000000000400000-0x00000000006FC000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 f03b29bfec3db9278f631f4877e3f28c
SHA1 0291945871a1ec2d2ecdf3dd0ff09adf351eb77d
SHA256 bab5c53524105f803e7f481d55ba963132ca22b359b0c5f8d76e9418e664b19e
SHA512 e9ad52652f0e7a660c5346ad941c636a956e2267234db6a9deeb95c49a6a89e9846070465f9479e3cf6d855a4f3d614c0a0db4a1a4b301ee1a0ef1e7c11a7c07

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-27 01:53

Reported

2024-09-27 01:56

Platform

win10v2004-20240910-en

Max time kernel

150s

Max time network

155s

Command Line

C:\Windows\Explorer.EXE

Signatures

Amadey

trojan amadey

AsyncRat

rat asyncrat

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

Lumma Stealer, LummaC

stealer lumma

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Stealc

stealer stealc

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 4376 created 3440 N/A C:\Users\Admin\AppData\Local\Temp\1000342001\rstxdhuj.exe C:\Windows\Explorer.EXE

Xworm

trojan rat xworm

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\e7b520a3a7d70e9e99b32e44e2604a9a4b05a95964c3ef27054d00564d16ef5b.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1000354001\2d9b789d71.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\1000026002\d4ec10a9ee.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1000355001\f53a2abceb.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1000023001\95f2c7a6b4.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1000029001\07893e10c2.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1000354001\2d9b789d71.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1000029001\07893e10c2.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1000354001\2d9b789d71.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1000023001\95f2c7a6b4.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\1000026002\d4ec10a9ee.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1000023001\95f2c7a6b4.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\1000026002\d4ec10a9ee.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1000029001\07893e10c2.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\e7b520a3a7d70e9e99b32e44e2604a9a4b05a95964c3ef27054d00564d16ef5b.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1000355001\f53a2abceb.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\e7b520a3a7d70e9e99b32e44e2604a9a4b05a95964c3ef27054d00564d16ef5b.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1000355001\f53a2abceb.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1000064001\JavvvUmar.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1000356001\neon.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\neon.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\e7b520a3a7d70e9e99b32e44e2604a9a4b05a95964c3ef27054d00564d16ef5b.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1000355001\f53a2abceb.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1000028001\8dbfa10f84.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000004001\12dsvc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\iUgYxIJ8Vk.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\AbdlzPwLwp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000191001\needmoney.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000254001\penis.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000064001\JavvvUmar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000290001\crypted.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost015.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000314001\LummaC222222.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\stories.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-E7VLB.tmp\stories.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000322001\newbundle2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Fido Video Recorder\fidovideorecorder32_64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000342001\rstxdhuj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000349001\cccc2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000354001\2d9b789d71.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000355001\f53a2abceb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000356001\neon.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000023001\95f2c7a6b4.exe N/A
N/A N/A C:\Users\Admin\1000026002\d4ec10a9ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\8dbfa10f84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000029001\07893e10c2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\service123.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\service123.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\neon.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\neon.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\service123.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1000355001\f53a2abceb.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1000029001\07893e10c2.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\e7b520a3a7d70e9e99b32e44e2604a9a4b05a95964c3ef27054d00564d16ef5b.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1000354001\2d9b789d71.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1000023001\95f2c7a6b4.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Software\Wine C:\Users\Admin\1000026002\d4ec10a9ee.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Unexpected DNS network traffic destination

Description Indicator Process Target
Destination IP 152.89.198.214 N/A N/A

Unsecured Credentials: Credentials In Files

credential_access stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d4ec10a9ee.exe = "C:\\Users\\Admin\\1000026002\\d4ec10a9ee.exe" C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\8dbfa10f84.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000028001\\8dbfa10f84.exe" C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\neon = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\neon.exe" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ylrdnrwcx = "C:\\Users\\Admin\\AppData\\Roaming\\Ylrdnrwcx.exe" C:\Users\Admin\AppData\Local\Temp\1000342001\rstxdhuj.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2d9b789d71.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000354001\\2d9b789d71.exe" C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f53a2abceb.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000355001\\f53a2abceb.exe" C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\axplong.job C:\Users\Admin\AppData\Local\Temp\e7b520a3a7d70e9e99b32e44e2604a9a4b05a95964c3ef27054d00564d16ef5b.exe N/A
File created C:\Windows\Tasks\Hkbsse.job C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe N/A
File created C:\Windows\Tasks\skotes.job C:\Users\Admin\AppData\Local\Temp\1000355001\f53a2abceb.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e7b520a3a7d70e9e99b32e44e2604a9a4b05a95964c3ef27054d00564d16ef5b.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Fido Video Recorder\fidovideorecorder32_64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000354001\2d9b789d71.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000065001\stories.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\1000026002\d4ec10a9ee.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000290001\crypted.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\svchost015.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000314001\LummaC222222.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000349001\cccc2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000028001\8dbfa10f84.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\AbdlzPwLwp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000191001\needmoney.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000254001\penis.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\service123.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\neon.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-E7VLB.tmp\stories.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000342001\rstxdhuj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000355001\f53a2abceb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000029001\07893e10c2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\neon.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\iUgYxIJ8Vk.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000064001\JavvvUmar.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000322001\newbundle2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000004001\12dsvc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000023001\95f2c7a6b4.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\cmd.exe N/A
N/A N/A C:\Windows\system32\PING.EXE N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\1000064001\JavvvUmar.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\1000064001\JavvvUmar.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133718756861291449" C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e7b520a3a7d70e9e99b32e44e2604a9a4b05a95964c3ef27054d00564d16ef5b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e7b520a3a7d70e9e99b32e44e2604a9a4b05a95964c3ef27054d00564d16ef5b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\AbdlzPwLwp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\AbdlzPwLwp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\AbdlzPwLwp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\AbdlzPwLwp.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\AbdlzPwLwp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\AbdlzPwLwp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-E7VLB.tmp\stories.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-E7VLB.tmp\stories.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000254001\penis.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000254001\penis.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000342001\rstxdhuj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000342001\rstxdhuj.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000354001\2d9b789d71.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000354001\2d9b789d71.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000322001\newbundle2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000322001\newbundle2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000322001\newbundle2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000322001\newbundle2.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000355001\f53a2abceb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000355001\f53a2abceb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000322001\newbundle2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000322001\newbundle2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000356001\neon.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000356001\neon.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000356001\neon.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000023001\95f2c7a6b4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000023001\95f2c7a6b4.exe N/A
N/A N/A C:\Users\Admin\1000026002\d4ec10a9ee.exe N/A
N/A N/A C:\Users\Admin\1000026002\d4ec10a9ee.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000029001\07893e10c2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000029001\07893e10c2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000356001\neon.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\8dbfa10f84.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000254001\penis.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000254001\penis.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000254001\penis.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000254001\penis.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000254001\penis.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000254001\penis.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\AbdlzPwLwp.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000342001\rstxdhuj.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000342001\rstxdhuj.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000322001\newbundle2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000356001\neon.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-E7VLB.tmp\stories.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\8dbfa10f84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\8dbfa10f84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\8dbfa10f84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\8dbfa10f84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\8dbfa10f84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\8dbfa10f84.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\8dbfa10f84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\8dbfa10f84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\8dbfa10f84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\8dbfa10f84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\8dbfa10f84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\8dbfa10f84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\8dbfa10f84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\8dbfa10f84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\8dbfa10f84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\8dbfa10f84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\8dbfa10f84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\8dbfa10f84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\8dbfa10f84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\8dbfa10f84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\8dbfa10f84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\8dbfa10f84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\8dbfa10f84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\8dbfa10f84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\8dbfa10f84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\8dbfa10f84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\8dbfa10f84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\8dbfa10f84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\8dbfa10f84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\8dbfa10f84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\8dbfa10f84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\8dbfa10f84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\8dbfa10f84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\8dbfa10f84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\8dbfa10f84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\8dbfa10f84.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\8dbfa10f84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\8dbfa10f84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\8dbfa10f84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\8dbfa10f84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\8dbfa10f84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\8dbfa10f84.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\8dbfa10f84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\8dbfa10f84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\8dbfa10f84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\8dbfa10f84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\8dbfa10f84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\8dbfa10f84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\8dbfa10f84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\8dbfa10f84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\8dbfa10f84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\8dbfa10f84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\8dbfa10f84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\8dbfa10f84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\8dbfa10f84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\8dbfa10f84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\8dbfa10f84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\8dbfa10f84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\8dbfa10f84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\8dbfa10f84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\8dbfa10f84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\8dbfa10f84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\8dbfa10f84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\8dbfa10f84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\8dbfa10f84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\8dbfa10f84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\8dbfa10f84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\8dbfa10f84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\8dbfa10f84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\8dbfa10f84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\8dbfa10f84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\8dbfa10f84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\8dbfa10f84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\8dbfa10f84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\8dbfa10f84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\8dbfa10f84.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2420 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Temp\e7b520a3a7d70e9e99b32e44e2604a9a4b05a95964c3ef27054d00564d16ef5b.exe C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
PID 2420 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Temp\e7b520a3a7d70e9e99b32e44e2604a9a4b05a95964c3ef27054d00564d16ef5b.exe C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
PID 2420 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Temp\e7b520a3a7d70e9e99b32e44e2604a9a4b05a95964c3ef27054d00564d16ef5b.exe C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
PID 4136 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe
PID 4136 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe
PID 4136 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe
PID 1448 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1448 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1448 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1448 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1448 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1448 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1448 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1448 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4136 wrote to memory of 4128 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000004001\12dsvc.exe
PID 4136 wrote to memory of 4128 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000004001\12dsvc.exe
PID 4136 wrote to memory of 4128 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000004001\12dsvc.exe
PID 4128 wrote to memory of 3908 N/A C:\Users\Admin\AppData\Local\Temp\1000004001\12dsvc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4128 wrote to memory of 3908 N/A C:\Users\Admin\AppData\Local\Temp\1000004001\12dsvc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4128 wrote to memory of 3908 N/A C:\Users\Admin\AppData\Local\Temp\1000004001\12dsvc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4128 wrote to memory of 3908 N/A C:\Users\Admin\AppData\Local\Temp\1000004001\12dsvc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4128 wrote to memory of 3908 N/A C:\Users\Admin\AppData\Local\Temp\1000004001\12dsvc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4128 wrote to memory of 3908 N/A C:\Users\Admin\AppData\Local\Temp\1000004001\12dsvc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4128 wrote to memory of 3908 N/A C:\Users\Admin\AppData\Local\Temp\1000004001\12dsvc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4128 wrote to memory of 3908 N/A C:\Users\Admin\AppData\Local\Temp\1000004001\12dsvc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4128 wrote to memory of 3908 N/A C:\Users\Admin\AppData\Local\Temp\1000004001\12dsvc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4128 wrote to memory of 3908 N/A C:\Users\Admin\AppData\Local\Temp\1000004001\12dsvc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4136 wrote to memory of 5028 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe
PID 4136 wrote to memory of 5028 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe
PID 4136 wrote to memory of 5028 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe
PID 3908 wrote to memory of 2420 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Roaming\iUgYxIJ8Vk.exe
PID 3908 wrote to memory of 2420 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Roaming\iUgYxIJ8Vk.exe
PID 3908 wrote to memory of 2420 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Roaming\iUgYxIJ8Vk.exe
PID 3908 wrote to memory of 1736 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Roaming\AbdlzPwLwp.exe
PID 3908 wrote to memory of 1736 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Roaming\AbdlzPwLwp.exe
PID 3908 wrote to memory of 1736 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Roaming\AbdlzPwLwp.exe
PID 5028 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
PID 5028 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
PID 5028 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
PID 4136 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe
PID 4136 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe
PID 4136 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe
PID 4136 wrote to memory of 4084 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000191001\needmoney.exe
PID 4136 wrote to memory of 4084 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000191001\needmoney.exe
PID 4136 wrote to memory of 4084 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000191001\needmoney.exe
PID 4136 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000254001\penis.exe
PID 4136 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000254001\penis.exe
PID 4136 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000254001\penis.exe
PID 5008 wrote to memory of 4412 N/A C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe C:\Users\Admin\AppData\Local\Temp\1000064001\JavvvUmar.exe
PID 5008 wrote to memory of 4412 N/A C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe C:\Users\Admin\AppData\Local\Temp\1000064001\JavvvUmar.exe
PID 5008 wrote to memory of 4412 N/A C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe C:\Users\Admin\AppData\Local\Temp\1000064001\JavvvUmar.exe
PID 4136 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000290001\crypted.exe
PID 4136 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000290001\crypted.exe
PID 4136 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000290001\crypted.exe
PID 1716 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\1000290001\crypted.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1716 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\1000290001\crypted.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1716 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\1000290001\crypted.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1716 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\1000290001\crypted.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1716 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\1000290001\crypted.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1716 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\1000290001\crypted.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1716 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\1000290001\crypted.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1716 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\1000290001\crypted.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4084 wrote to memory of 224 N/A C:\Users\Admin\AppData\Local\Temp\1000191001\needmoney.exe C:\Users\Admin\AppData\Local\Temp\svchost015.exe
PID 4084 wrote to memory of 224 N/A C:\Users\Admin\AppData\Local\Temp\1000191001\needmoney.exe C:\Users\Admin\AppData\Local\Temp\svchost015.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe N/A

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\e7b520a3a7d70e9e99b32e44e2604a9a4b05a95964c3ef27054d00564d16ef5b.exe

"C:\Users\Admin\AppData\Local\Temp\e7b520a3a7d70e9e99b32e44e2604a9a4b05a95964c3ef27054d00564d16ef5b.exe"

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

"C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"

C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe

"C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000004001\12dsvc.exe

"C:\Users\Admin\AppData\Local\Temp\1000004001\12dsvc.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe

"C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe"

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

C:\Users\Admin\AppData\Roaming\iUgYxIJ8Vk.exe

"C:\Users\Admin\AppData\Roaming\iUgYxIJ8Vk.exe"

C:\Users\Admin\AppData\Roaming\AbdlzPwLwp.exe

"C:\Users\Admin\AppData\Roaming\AbdlzPwLwp.exe"

C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe

"C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe"

C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe

"C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe"

C:\Users\Admin\AppData\Local\Temp\1000191001\needmoney.exe

"C:\Users\Admin\AppData\Local\Temp\1000191001\needmoney.exe"

C:\Users\Admin\AppData\Local\Temp\1000254001\penis.exe

"C:\Users\Admin\AppData\Local\Temp\1000254001\penis.exe"

C:\Users\Admin\AppData\Local\Temp\1000064001\JavvvUmar.exe

"C:\Users\Admin\AppData\Local\Temp\1000064001\JavvvUmar.exe"

C:\Users\Admin\AppData\Local\Temp\1000290001\crypted.exe

"C:\Users\Admin\AppData\Local\Temp\1000290001\crypted.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\svchost015.exe

C:\Users\Admin\AppData\Local\Temp\svchost015.exe

C:\Users\Admin\AppData\Local\Temp\1000314001\LummaC222222.exe

"C:\Users\Admin\AppData\Local\Temp\1000314001\LummaC222222.exe"

C:\Users\Admin\AppData\Local\Temp\1000065001\stories.exe

"C:\Users\Admin\AppData\Local\Temp\1000065001\stories.exe"

C:\Users\Admin\AppData\Local\Temp\is-E7VLB.tmp\stories.tmp

"C:\Users\Admin\AppData\Local\Temp\is-E7VLB.tmp\stories.tmp" /SL5="$B0052,2980754,56832,C:\Users\Admin\AppData\Local\Temp\1000065001\stories.exe"

C:\Users\Admin\AppData\Local\Temp\1000322001\newbundle2.exe

"C:\Users\Admin\AppData\Local\Temp\1000322001\newbundle2.exe"

C:\Users\Admin\AppData\Local\Fido Video Recorder\fidovideorecorder32_64.exe

"C:\Users\Admin\AppData\Local\Fido Video Recorder\fidovideorecorder32_64.exe" -i

C:\Users\Admin\AppData\Local\Temp\1000342001\rstxdhuj.exe

"C:\Users\Admin\AppData\Local\Temp\1000342001\rstxdhuj.exe"

C:\Users\Admin\AppData\Local\Temp\1000349001\cccc2.exe

"C:\Users\Admin\AppData\Local\Temp\1000349001\cccc2.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4504 -ip 4504

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4504 -s 1240

C:\Users\Admin\AppData\Local\Temp\1000354001\2d9b789d71.exe

"C:\Users\Admin\AppData\Local\Temp\1000354001\2d9b789d71.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe'

C:\Users\Admin\AppData\Local\Temp\1000355001\f53a2abceb.exe

"C:\Users\Admin\AppData\Local\Temp\1000355001\f53a2abceb.exe"

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 4504 -ip 4504

C:\Users\Admin\AppData\Local\Temp\1000356001\neon.exe

"C:\Users\Admin\AppData\Local\Temp\1000356001\neon.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'InstallUtil.exe'

C:\Users\Admin\AppData\Local\Temp\1000023001\95f2c7a6b4.exe

"C:\Users\Admin\AppData\Local\Temp\1000023001\95f2c7a6b4.exe"

C:\Users\Admin\1000026002\d4ec10a9ee.exe

"C:\Users\Admin\1000026002\d4ec10a9ee.exe"

C:\Users\Admin\AppData\Local\Temp\1000028001\8dbfa10f84.exe

"C:\Users\Admin\AppData\Local\Temp\1000028001\8dbfa10f84.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffa6937cc40,0x7ffa6937cc4c,0x7ffa6937cc58

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1940,i,16757106858712106481,17564853718144409370,262144 --variations-seed-version=20240909-180142.416000 --mojo-platform-channel-handle=1908 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2196,i,16757106858712106481,17564853718144409370,262144 --variations-seed-version=20240909-180142.416000 --mojo-platform-channel-handle=2208 /prefetch:3

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2220,i,16757106858712106481,17564853718144409370,262144 --variations-seed-version=20240909-180142.416000 --mojo-platform-channel-handle=2260 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffa6937cc40,0x7ffa6937cc4c,0x7ffa6937cc58

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3112,i,16757106858712106481,17564853718144409370,262144 --variations-seed-version=20240909-180142.416000 --mojo-platform-channel-handle=3156 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3128,i,16757106858712106481,17564853718144409370,262144 --variations-seed-version=20240909-180142.416000 --mojo-platform-channel-handle=3176 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\1000029001\07893e10c2.exe

"C:\Users\Admin\AppData\Local\Temp\1000029001\07893e10c2.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3892,i,16757106858712106481,17564853718144409370,262144 --variations-seed-version=20240909-180142.416000 --mojo-platform-channel-handle=4076 /prefetch:1

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"

C:\Windows\SYSTEM32\cmd.exe

"cmd" /c ping 127.0.0.1 -n 6 > nul && REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "neon" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\neon.exe"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"

C:\Windows\system32\PING.EXE

ping 127.0.0.1 -n 6

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4676,i,16757106858712106481,17564853718144409370,262144 --variations-seed-version=20240909-180142.416000 --mojo-platform-channel-handle=4688 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4492,i,16757106858712106481,17564853718144409370,262144 --variations-seed-version=20240909-180142.416000 --mojo-platform-channel-handle=4936 /prefetch:8

C:\Windows\system32\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "neon" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\neon.exe"

C:\Users\Admin\AppData\Local\Temp\service123.exe

"C:\Users\Admin\AppData\Local\Temp\service123.exe"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\Admin\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f

C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe

C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

C:\Users\Admin\AppData\Local\Temp\service123.exe

C:\Users\Admin\AppData\Local\Temp\/service123.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5004,i,16757106858712106481,17564853718144409370,262144 --variations-seed-version=20240909-180142.416000 --mojo-platform-channel-handle=5104 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4976,i,16757106858712106481,17564853718144409370,262144 --variations-seed-version=20240909-180142.416000 --mojo-platform-channel-handle=5068 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\neon.exe

"C:\Users\Admin\AppData\Local\Temp\neon.exe"

C:\Users\Admin\AppData\Local\Temp\neon.exe

"C:\Users\Admin\AppData\Local\Temp\neon.exe"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe

C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe

C:\Users\Admin\AppData\Local\Temp\service123.exe

C:\Users\Admin\AppData\Local\Temp\/service123.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffa6937cc40,0x7ffa6937cc4c,0x7ffa6937cc58

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1772,i,16568004056310449657,8567046247693621180,262144 --variations-seed-version=20240926-050110.326000 --mojo-platform-channel-handle=1924 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2172,i,16568004056310449657,8567046247693621180,262144 --variations-seed-version=20240926-050110.326000 --mojo-platform-channel-handle=2204 /prefetch:3

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2260,i,16568004056310449657,8567046247693621180,262144 --variations-seed-version=20240926-050110.326000 --mojo-platform-channel-handle=2464 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3144,i,16568004056310449657,8567046247693621180,262144 --variations-seed-version=20240926-050110.326000 --mojo-platform-channel-handle=3172 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3160,i,16568004056310449657,8567046247693621180,262144 --variations-seed-version=20240926-050110.326000 --mojo-platform-channel-handle=3208 /prefetch:1

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4636,i,16568004056310449657,8567046247693621180,262144 --variations-seed-version=20240926-050110.326000 --mojo-platform-channel-handle=4648 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4576,i,16568004056310449657,8567046247693621180,262144 --variations-seed-version=20240926-050110.326000 --mojo-platform-channel-handle=4724 /prefetch:8

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 185.215.113.16:80 185.215.113.16 tcp
RU 185.215.113.117:80 185.215.113.117 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 16.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 117.113.215.185.in-addr.arpa udp
NL 194.116.215.195:80 tcp
US 8.8.8.8:53 195.215.116.194.in-addr.arpa udp
RU 185.215.113.26:80 185.215.113.26 tcp
DE 95.179.250.45:26212 tcp
US 8.8.8.8:53 26.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 45.250.179.95.in-addr.arpa udp
US 8.8.8.8:53 lootebarrkeyn.shop udp
US 8.8.8.8:53 gutterydhowi.shop udp
US 104.21.4.136:443 gutterydhowi.shop tcp
RU 185.215.113.26:80 185.215.113.26 tcp
FI 65.21.18.51:45580 tcp
RU 185.215.113.17:80 185.215.113.17 tcp
US 104.21.79.51:443 tcp
US 8.8.8.8:53 offensivedzvju.shop udp
US 104.21.60.251:443 tcp
US 172.67.162.108:443 tcp
US 8.8.8.8:53 fragnantbui.shop udp
US 104.21.58.102:443 tcp
US 172.67.208.139:443 tcp
US 8.8.8.8:53 steamcommunity.com udp
US 8.8.8.8:53 251.195.67.172.in-addr.arpa udp
GB 104.82.234.109:443 steamcommunity.com tcp
US 8.8.8.8:53 102.58.21.104.in-addr.arpa udp
US 8.8.8.8:53 139.208.67.172.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 ballotnwu.site udp
US 104.21.2.13:443 ballotnwu.site tcp
US 8.8.8.8:53 109.234.82.104.in-addr.arpa udp
US 172.67.195.251:443 tcp
US 104.21.13.39:443 tcp
US 8.8.8.8:53 13.2.21.104.in-addr.arpa udp
RU 176.113.115.95:80 176.113.115.95 tcp
US 8.8.8.8:53 95.115.113.176.in-addr.arpa udp
NL 89.105.223.196:29862 tcp
FI 95.216.143.20:12695 tcp
US 8.8.8.8:53 196.223.105.89.in-addr.arpa udp
US 8.8.8.8:53 20.143.216.95.in-addr.arpa udp
RU 185.215.113.67:15206 tcp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 67.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 racedsuitreow.shop udp
US 8.8.8.8:53 sevtvf17vt.top udp
RU 37.9.4.189:80 sevtvf17vt.top tcp
US 8.8.8.8:53 defenddsouneuw.shop udp
US 104.21.26.56:443 defenddsouneuw.shop tcp
RU 185.215.113.103:80 185.215.113.103 tcp
TM 91.202.233.158:80 91.202.233.158 tcp
US 8.8.8.8:53 189.4.9.37.in-addr.arpa udp
US 8.8.8.8:53 56.26.21.104.in-addr.arpa udp
US 8.8.8.8:53 103.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 158.233.202.91.in-addr.arpa udp
US 172.67.162.108:443 drawzhotdog.shop tcp
RU 185.215.113.37:80 185.215.113.37 tcp
US 104.21.4.136:443 gutterydhowi.shop tcp
US 104.21.79.51:443 ghostreedmnu.shop tcp
RU 37.9.4.189:80 sevtvf17vt.top tcp
US 8.8.8.8:53 37.113.215.185.in-addr.arpa udp
US 104.21.13.39:443 offensivedzvju.shop tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 104.21.60.251:443 vozmeatillu.shop tcp
US 172.67.195.251:443 fragnantbui.shop tcp
US 104.21.58.102:443 stogeneratmns.shop tcp
US 172.67.208.139:443 reinforcenh.shop tcp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 steamcommunity.com udp
GB 104.82.234.109:443 steamcommunity.com tcp
US 104.21.2.13:443 ballotnwu.site tcp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
RU 37.9.4.189:80 sevtvf17vt.top tcp
RU 185.215.113.43:80 185.215.113.43 tcp
US 8.8.8.8:53 43.113.215.185.in-addr.arpa udp
RU 185.215.113.37:80 185.215.113.37 tcp
RU 185.215.113.37:80 185.215.113.37 tcp
RU 185.215.113.103:80 185.215.113.103 tcp
RU 185.215.113.16:80 185.215.113.16 tcp
US 8.8.8.8:53 youtube.com udp
GB 142.250.180.14:443 youtube.com tcp
US 8.8.8.8:53 www.youtube.com udp
GB 172.217.169.46:443 www.youtube.com udp
US 8.8.8.8:53 consent.youtube.com udp
GB 142.250.178.14:443 consent.youtube.com tcp
GB 142.250.178.14:443 consent.youtube.com udp
US 8.8.8.8:53 227.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 10.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 14.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 46.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 14.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 3.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 42.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.187.228:443 www.google.com tcp
US 8.8.8.8:53 clients2.google.com udp
GB 216.58.201.110:443 clients2.google.com udp
GB 216.58.201.110:443 clients2.google.com tcp
US 8.8.8.8:53 110.201.58.216.in-addr.arpa udp
NL 188.190.10.161:4444 tcp
US 8.8.8.8:53 161.10.190.188.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.187.238:443 play.google.com tcp
US 8.8.8.8:53 238.187.250.142.in-addr.arpa udp
GB 142.250.187.238:443 play.google.com udp
GB 142.250.178.14:443 consent.youtube.com udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 beacons.gcp.gvt2.com udp
GB 172.217.169.3:443 beacons.gcp.gvt2.com tcp
GB 172.217.169.3:443 beacons.gcp.gvt2.com tcp
US 8.8.8.8:53 3.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
HK 47.238.55.14:4444 tcp
US 8.8.8.8:53 14.55.238.47.in-addr.arpa udp
HK 47.238.55.14:4444 tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
GB 142.250.180.14:443 www.youtube.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
GB 172.217.169.46:443 www.youtube.com udp
GB 142.250.178.14:443 consent.youtube.com udp
GB 142.250.178.14:443 consent.youtube.com tcp
GB 216.58.201.110:443 clients2.google.com udp
GB 216.58.201.110:443 clients2.google.com tcp
RU 152.89.198.214:53 aqnqeid.ru udp
US 8.8.8.8:53 214.198.89.152.in-addr.arpa udp
CH 185.196.8.214:80 aqnqeid.ru tcp

Files

memory/2420-0-0x0000000000DD0000-0x0000000001279000-memory.dmp

memory/2420-1-0x00000000778B4000-0x00000000778B6000-memory.dmp

memory/2420-2-0x0000000000DD1000-0x0000000000DFF000-memory.dmp

memory/2420-3-0x0000000000DD0000-0x0000000001279000-memory.dmp

memory/2420-5-0x0000000000DD0000-0x0000000001279000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

MD5 a3a83347ae8fcdee6ec20f6ba13311c9
SHA1 c9da81cfc77925b9d7039a960adb5aabd5596128
SHA256 e7b520a3a7d70e9e99b32e44e2604a9a4b05a95964c3ef27054d00564d16ef5b
SHA512 ea4766909dd8314d430b15f097856fd26cf9584c488f8f8f26856fdddf76c9da879730ce292ba52cd8beedb6f02d3189265cc09cbc6942e5e8f50f692688013c

memory/4136-17-0x0000000000980000-0x0000000000E29000-memory.dmp

memory/2420-16-0x0000000000DD0000-0x0000000001279000-memory.dmp

memory/4136-19-0x0000000000980000-0x0000000000E29000-memory.dmp

memory/4136-20-0x0000000000980000-0x0000000000E29000-memory.dmp

memory/4136-21-0x0000000000980000-0x0000000000E29000-memory.dmp

memory/4136-22-0x0000000000980000-0x0000000000E29000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe

MD5 389881b424cf4d7ec66de13f01c7232a
SHA1 d3bc5a793c1b8910e1ecc762b69b3866e4c5ba78
SHA256 9d1211b3869ca43840b7da1677b257ad37521aab47719c6fcfe343121760b746
SHA512 2b9517d5d9d972e8754a08863a29e3d3e3cfde58e20d433c85546c2298aad50ac8b069cafd5abb3c86e24263d662c6e1ea23c0745a2668dfd215ddbdfbd1ab96

memory/1448-41-0x00000000734CE000-0x00000000734CF000-memory.dmp

memory/1448-42-0x00000000005F0000-0x0000000000644000-memory.dmp

memory/5036-45-0x0000000000400000-0x0000000000452000-memory.dmp

memory/5036-48-0x0000000005D00000-0x00000000062A4000-memory.dmp

memory/5036-49-0x0000000005610000-0x00000000056A2000-memory.dmp

memory/5036-50-0x00000000056D0000-0x00000000056DA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000004001\12dsvc.exe

MD5 84263ab03b0a0f2b51cc11b93ec49c9f
SHA1 e6457eb0e0131bec70a2fd4d4a943314f0bd28d4
SHA256 7d6e4e01c452dd502361640ee095e2bee35e3f55fd11edc9e94c3580d2c132b5
SHA512 db35a02345b5166077e300524675c523a8b4082fa62fc151c0797141348cae5e173eeaec5ad1e95556e048ea6ed34a78b90b1184420557c53cd91f351417ebb2

C:\Users\Admin\AppData\Local\Temp\Tmp2824.tmp

MD5 1420d30f964eac2c85b2ccfe968eebce
SHA1 bdf9a6876578a3e38079c4f8cf5d6c79687ad750
SHA256 f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9
SHA512 6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

memory/5036-86-0x0000000006330000-0x00000000063A6000-memory.dmp

memory/4128-85-0x0000000000670000-0x0000000000752000-memory.dmp

memory/5036-87-0x0000000006A20000-0x0000000006A3E000-memory.dmp

memory/5036-90-0x00000000073B0000-0x00000000079C8000-memory.dmp

memory/5036-91-0x0000000008C30000-0x0000000008D3A000-memory.dmp

memory/5036-92-0x00000000072B0000-0x00000000072C2000-memory.dmp

memory/5036-93-0x0000000007310000-0x000000000734C000-memory.dmp

memory/5036-94-0x0000000006DB0000-0x0000000006DFC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe

MD5 f5d7b79ee6b6da6b50e536030bcc3b59
SHA1 751b555a8eede96d55395290f60adc43b28ba5e2
SHA256 2f1aff28961ba0ce85ea0e35b8936bc387f84f459a4a1d63d964ce79e34b8459
SHA512 532b17cd2a6ac5172b1ddba1e63edd51ab53a4527204415241e3a78e8ffeb9728071bde5ae1eefabefd2627f00963f8a5458668cd7b8df041c8683252ff56b46

memory/3908-109-0x0000000000400000-0x00000000004DE000-memory.dmp

memory/3908-108-0x0000000000400000-0x00000000004DE000-memory.dmp

memory/3908-106-0x0000000000400000-0x00000000004DE000-memory.dmp

memory/3908-104-0x0000000000400000-0x00000000004DE000-memory.dmp

memory/452-120-0x0000000000980000-0x0000000000E29000-memory.dmp

C:\Users\Admin\AppData\Roaming\iUgYxIJ8Vk.exe

MD5 a3ef9920a91b891837705e46bb26de17
SHA1 9cfbcd0f46ec86fb57d3d6d74a064f9098adf117
SHA256 171cef885f6c285e995ce3ec5960c5ea4e4ed049cec362745058fee39e4136cc
SHA512 c65e91091b95c3aba0af7df4ed6543d26bcb5b54d6fab82f9d2ac1ba156f475f98124a1a0e8851d69be23b1dc945c76c075cd32515203273260802e1224dbd6e

C:\Users\Admin\AppData\Roaming\AbdlzPwLwp.exe

MD5 4e60f3fd76d9eab244f9dc00f7765b0b
SHA1 1a154d6e837e7105c551793131cde89f157c4330
SHA256 d6945846cc23c01b9c9ad2b97d35b5a14c01f1a4cc2ec651a596f06777ba4fec
SHA512 44727e25781f448579ac35aab94aff550ed9fe5ac58d95bd394569c62892dc78216ac687baa43cef66187ebe629f5dd9cd63ea274222d11dbef3440ec4d7f77a

memory/3908-137-0x0000000000400000-0x00000000004DE000-memory.dmp

memory/1736-140-0x00000000009F0000-0x0000000000A42000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2629364133-3182087385-364449604-1000\76b53b3ec448f7ccdda2063b15d2bfc3_83e33dcf-e635-4313-9cdc-036589dffc77

MD5 e84c6346c4f8e7c94f3ca4d322a22545
SHA1 3a2bbe298e0bd41a9caf5a4d5f1e7a8d264e7826
SHA256 729543ace63c159400aba2048ad3fc20acf0572090547e09ce7049148e72bd31
SHA512 39ca97b67821b10795f6545afb993522341cf03826bee5274fd43c15b8bbb64e7b1a53be0c3904127d5dd0692b87415623885d882ebf8139e9881fed4e789198

memory/452-161-0x0000000000980000-0x0000000000E29000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe

MD5 7a02aa17200aeac25a375f290a4b4c95
SHA1 7cc94ca64268a9a9451fb6b682be42374afc22fd
SHA256 836799fd760eba25e15a55c75c50b977945c557065a708317e00f2c8f965339e
SHA512 f6ebfe7e087aa354722cea3fddd99b1883a862fb92bb5a5a86782ea846a1bff022ab7db4397930bcabaa05cb3d817de3a89331d41a565bc1da737f2c5e3720b6

C:\Users\Public\Desktop\Google Chrome.lnk

MD5 3a4dc046fe95d3e4a396139c11329061
SHA1 758411d585f485b983fc8cb1e1387e79d74b25ae
SHA256 2ceb8427a87981af1502f14a4e2bcd12a36d6bfcf06ea10687d835397b8614de
SHA512 969b169e9b22cf349ce99fd274fead6580d04c1b94b17a5b8246bc681d566902963101ce5f59875f2b3efa6887d91e548bf4bf0794a97bc8a58ce7e951a8b890

C:\Users\Admin\Desktop\Microsoft Edge.lnk

MD5 d104a61e1ea1435a89577cfbae356bde
SHA1 9746cfb54d6e8182ee61d0630f4a1998ba2113bd
SHA256 a8c57fdb3226530ab141529ef94d12c249607e410a3e29fd87ddafcebd1d4ddd
SHA512 f7be07fc37cfdc9b84280dd3d06dd77c59bd274bae57cd0d63fb2b22c99509678fde74e21b62096e2ee57854d1f644955c88b452edd416f5d92e96eb95254712

memory/1068-189-0x00000000009E0000-0x0000000000C23000-memory.dmp

memory/4136-190-0x0000000000980000-0x0000000000E29000-memory.dmp

memory/4136-191-0x0000000000980000-0x0000000000E29000-memory.dmp

memory/5036-192-0x0000000006F30000-0x0000000006F96000-memory.dmp

memory/1068-195-0x0000000061E00000-0x0000000061EF3000-memory.dmp

memory/4136-222-0x0000000000980000-0x0000000000E29000-memory.dmp

memory/4136-223-0x0000000000980000-0x0000000000E29000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000191001\needmoney.exe

MD5 7fa5c660d124162c405984d14042506f
SHA1 69f0dff06ff1911b97a2a0aa4ca9046b722c6b2f
SHA256 fd3edfaff77dd969e3e0d086495e4c742d00e111df9f935ed61dfba8392584b2
SHA512 d50848adbfe75f509414acc97096dad191ae4cef54752bdddcb227ffc0f59bfd2770561e7b3c2a14f4a1423215f05847206ad5c242c7fd5b0655edf513b22f6c

memory/1736-259-0x00000000078C0000-0x0000000007A82000-memory.dmp

memory/1736-260-0x0000000007FC0000-0x00000000084EC000-memory.dmp

memory/1736-261-0x0000000007CF0000-0x0000000007D40000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000254001\penis.exe

MD5 a21700718c70ec5e787ad373cb72a757
SHA1 027554ab5ff3245e7617f3b83d6548bf7919f92e
SHA256 87e639ecc7704cb5e29f1ebb1d8ade3ae863aaa2505a37b28f2d45121da500c6
SHA512 ea292a5442d9fe536e650a2bc5142dd3aef79c66930243897e0e87c57915f0a54e45e03e58daffb473f85fe10b963d4670050bff5ab3f91121d21d463e25659b

C:\Users\Admin\AppData\Local\Temp\1000064001\JavvvUmar.exe

MD5 e17dd8e8ed9803018341037275960e16
SHA1 90efa4499a4f4f6a8e1d5f91f3a96e8e49b0e8ad
SHA256 7e3ba2aa30018f5b9aff92a945f659768100d8ac1338afad49f092b17120a7a5
SHA512 127321309e7f30b2df29a0303c8e0d4c86cf2513d24018a76ab051880b068862ed2f2edb2b7e612d78668020d66c40ca4e26dbd64ad5ed73b02c597f5a4c5589

memory/2396-295-0x0000000000060000-0x00000000000CC000-memory.dmp

C:\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

C:\Users\Admin\AppData\Local\Temp\1000290001\crypted.exe

MD5 ff5afed0a8b802d74af1c1422c720446
SHA1 7135acfa641a873cb0c4c37afc49266bfeec91d8
SHA256 17ac37b4946539fa7fa68b12bd80946d340497a7971802b5848830ad99ea1e10
SHA512 11724d26e11b3146e0fc947c06c59c004c015de0afea24ec28a4eb8145fcd51e9b70007e17621c83f406d9aeb7cd96601245671d41c3fcc88a27c33bd7cf55ac

memory/1716-334-0x0000000000DA0000-0x0000000000DF4000-memory.dmp

memory/624-341-0x0000000000400000-0x0000000000452000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log

MD5 e34b053c93dcb4160094249280888117
SHA1 bd7cd93042c200c5fb012bccf3cd9f72d7e79cef
SHA256 2bc71ddd63acfb9d101892e29033c75b4023727e1cadc489ecb2421c1960eaa8
SHA512 f8753ec3f9f413e1fac84caa1905509a978dfc63211dcd0a889a4283840ae2e6e9101e1f7ee7d582acc5e0ae722fdab8f6047aa02cee28869a094b4f494897f2

C:\Users\Admin\AppData\Local\Temp\svchost015.exe

MD5 b826dd92d78ea2526e465a34324ebeea
SHA1 bf8a0093acfd2eb93c102e1a5745fb080575372e
SHA256 7824b50acdd144764dac7445a4067b35cf0fef619e451045ab6c1f54f5653a5b
SHA512 1ac4b731b9b31cabf3b1c43aee37206aee5326c8e786abe2ab38e031633b778f97f2d6545cf745c3066f3bd47b7aaf2ded2f9955475428100eaf271dd9aeef17

memory/224-370-0x0000000000400000-0x0000000000643000-memory.dmp

memory/4084-368-0x0000000000400000-0x000000000081B000-memory.dmp

memory/224-366-0x0000000000400000-0x0000000000643000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000314001\LummaC222222.exe

MD5 2f1d09f64218fffe7243a8b44345b27e
SHA1 72553e1b3a759c17f54e7b568f39b3f8f1b1cdbe
SHA256 4a553c39728410eb0ebd5e530fc47ef1bdf4b11848a69889e8301974fc26cde2
SHA512 5871e2925ca8375f3c3ce368c05eb67796e1fbec80649d3cc9c39b57ee33f46476d38d3ea8335e2f5518c79f27411a568209f9f6ef38a56650c7436bbaa3f909

C:\Users\Admin\AppData\Local\Temp\1000065001\stories.exe

MD5 bb4417d907e43503f714273f1ae9cf44
SHA1 973ff5333f859fcf8fd7281509a9bd19d155d82c
SHA256 a1a117e8110faca90e94f5edd93e0ad4a5d7f49485e30bfa332db573464c7908
SHA512 ab80a72c2e805052084ffc360d9189db4f5f5797c36ade71d09a951843455d936fcff18e85819b48dba82332f142b34c26320f8d1ce8df08874829b276bc3018

memory/1068-399-0x00000000009E0000-0x0000000000C23000-memory.dmp

memory/1924-407-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-E7VLB.tmp\stories.tmp

MD5 c8afa039fc2a7f032512686fb50692df
SHA1 3fce9102949fa0fac312574e6d3756f26735c000
SHA256 123e40b411ba32e768103090c2eb1c3b874f2c933f7e9f30717185b41f232332
SHA512 f185aa5a85570dd2172752d59278fd6b2b61dba48890deb48ec2803f3e3e10573cf600ee91f1af1a77b56f2f44a52b16873ba5e6df2d85c097c16d8ebac98666

C:\Users\Admin\AppData\Local\Temp\1000322001\newbundle2.exe

MD5 58e8b2eb19704c5a59350d4ff92e5ab6
SHA1 171fc96dda05e7d275ec42840746258217d9caf0
SHA256 07d4b7768e13d79ac5f05f81167b29bb6fbf97828a289d8d11eec38939846834
SHA512 e7655762c5f2d10ec246d11f82d437a2717ad05be847b5e0fd055e3241caaca85430f424055b343e3a44c90d76a0ba07a6913c2208f374f59b61f8aa4477889f

C:\Users\Admin\AppData\Local\Temp\is-PBC86.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

memory/964-438-0x00000000006B0000-0x0000000000702000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2629364133-3182087385-364449604-1000\76b53b3ec448f7ccdda2063b15d2bfc3_83e33dcf-e635-4313-9cdc-036589dffc77

MD5 f7c379e6d770b97b260fea98d2294ffd
SHA1 1832437756e96363421df4e3a589d79038cca3bc
SHA256 461ba82f5290585f529a243550105c630f1930e0c0fb35d20087884184bad3ae
SHA512 bcff8a1ec905d8a20ca4a90c6f481ef7567f0a36f06a2ca1973e90d2e890bc04eb5babd5a16d5ee0cb0352dba2620f9ec5b2e0eb78ac27467b2a2b3a75b96e41

C:\Users\Admin\AppData\Local\Fido Video Recorder\fidovideorecorder32_64.exe

MD5 b19555358f3c9abc6157b2b7aab2f658
SHA1 177fda0d1d0444e6cf1ca8a915f5f2212bd092e1
SHA256 2b0062e5ef0c0bbc9034ba09296f47b26dd0528dd8131dccfd10009a516b1104
SHA512 6bff37eb0c5617fab6512c9a31e701f04abfe1b5eb1fa70b93c83de9a118e434ecb1f49c6e7baf5335ae32d8b04b296835f028ca8eee7858c11a4797e07d64b0

memory/656-481-0x0000000000400000-0x00000000006FC000-memory.dmp

memory/656-482-0x0000000000400000-0x00000000006FC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000342001\rstxdhuj.exe

MD5 1ef39c8bc5799aa381fe093a1f2d532a
SHA1 57eabb02a7c43c9682988227dd470734cc75edb2
SHA256 0cced5b50789fca3ad4b2c151b798363d712da04c377bd704dcef4898e66b2b4
SHA512 13a9c267c4ceb2bd176f1339faa035ffeb08936deeeb4e38252ea43cfe487ea1c1876e4cc2a965548e767af02805a1da62885e6538da056be0c6fae33b637682

memory/4376-503-0x0000000000160000-0x0000000000258000-memory.dmp

memory/4136-504-0x0000000000980000-0x0000000000E29000-memory.dmp

memory/4376-505-0x0000000004C90000-0x0000000004D7E000-memory.dmp

memory/4376-511-0x0000000004C90000-0x0000000004D78000-memory.dmp

memory/4376-517-0x0000000004C90000-0x0000000004D78000-memory.dmp

memory/4376-539-0x0000000004C90000-0x0000000004D78000-memory.dmp

memory/4376-537-0x0000000004C90000-0x0000000004D78000-memory.dmp

memory/4376-535-0x0000000004C90000-0x0000000004D78000-memory.dmp

memory/4376-533-0x0000000004C90000-0x0000000004D78000-memory.dmp

memory/4376-531-0x0000000004C90000-0x0000000004D78000-memory.dmp

memory/4376-529-0x0000000004C90000-0x0000000004D78000-memory.dmp

memory/4376-527-0x0000000004C90000-0x0000000004D78000-memory.dmp

memory/4376-525-0x0000000004C90000-0x0000000004D78000-memory.dmp

memory/4376-523-0x0000000004C90000-0x0000000004D78000-memory.dmp

memory/4376-519-0x0000000004C90000-0x0000000004D78000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000349001\cccc2.exe

MD5 6b470f7251aa9c14d7daea8f6446e217
SHA1 a256c54d4dd7e0a7a1582d8fdfef5807bc3c4af4
SHA256 8b9097b795d42c49c3b2c560714226361671a3f1d711faa9aeaee20e22e7095f
SHA512 fdc553c9d2ff19343dd99b0b34c875752df4fa0cbd494096aeb51d859bd102448f1a5043a53a808045ae52077f180546a134b1aa69db4dc04aff2610fadeaca4

memory/4376-521-0x0000000004C90000-0x0000000004D78000-memory.dmp

memory/4376-515-0x0000000004C90000-0x0000000004D78000-memory.dmp

memory/4376-513-0x0000000004C90000-0x0000000004D78000-memory.dmp

memory/4376-509-0x0000000004C90000-0x0000000004D78000-memory.dmp

memory/4376-507-0x0000000004C90000-0x0000000004D78000-memory.dmp

memory/4376-506-0x0000000004C90000-0x0000000004D78000-memory.dmp

memory/4376-1599-0x00000000055E0000-0x0000000005648000-memory.dmp

memory/4376-1600-0x0000000005690000-0x00000000056DC000-memory.dmp

memory/6036-1602-0x00000000006F0000-0x0000000000750000-memory.dmp

memory/4376-1606-0x00000000056E0000-0x0000000005734000-memory.dmp

memory/2480-1609-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2480-1610-0x0000000005790000-0x000000000582C000-memory.dmp

memory/224-1613-0x0000000000400000-0x0000000000643000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000354001\2d9b789d71.exe

MD5 904925a03f5e62b7b67ee30d22e9c7cf
SHA1 acec73d1e47b2dddf74addc3529345254135062f
SHA256 d5f6c82d696b68c10f33762a2fd0628afd233b0d07c99654b186f699446d990b
SHA512 688660f97c278e2fad8167af3c75ccf41e432d7962f0ea242b01d410026541fb140f723a1a42622515c987b692e207c79eb83493cce7ba73f189cf83e2a4fea3

memory/3160-1629-0x0000000000ED0000-0x0000000001569000-memory.dmp

memory/3160-1641-0x0000000000ED0000-0x0000000001569000-memory.dmp

memory/5044-1642-0x00000000027F0000-0x0000000002826000-memory.dmp

memory/5044-1643-0x0000000005400000-0x0000000005A28000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000355001\f53a2abceb.exe

MD5 3221f7253640482f98a937d9ffe96317
SHA1 fa2773e5719df896ebd0d701764333b09cfeeadf
SHA256 66a6260f8ae8ef262d856928203a32e8a4da0c21e9425651df0586ff734d70e0
SHA512 9f50a9b722fa2abfc7289789c22c4a8c653f802f993f3f4ea6a47f7a942ff8a82dccc8a050d6c448401c9ef054aa082e75a53981864e92924201e5b107bc3d65

memory/5044-1652-0x0000000005150000-0x0000000005172000-memory.dmp

memory/5044-1653-0x00000000051F0000-0x0000000005256000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_55pft5xv.1ed.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/5044-1663-0x0000000005B30000-0x0000000005E84000-memory.dmp

memory/5516-1671-0x0000000000F20000-0x00000000013B8000-memory.dmp

memory/5044-1672-0x0000000006110000-0x000000000612E000-memory.dmp

memory/5516-1686-0x0000000000F20000-0x00000000013B8000-memory.dmp

memory/6136-1688-0x0000000000A30000-0x0000000000EC8000-memory.dmp

memory/5044-1700-0x0000000006720000-0x000000000673E000-memory.dmp

memory/5044-1690-0x000000006CB80000-0x000000006CBCC000-memory.dmp

memory/5044-1701-0x0000000007300000-0x00000000073A3000-memory.dmp

memory/5044-1689-0x00000000066E0000-0x0000000006712000-memory.dmp

memory/5044-1703-0x0000000007440000-0x000000000745A000-memory.dmp

memory/5044-1702-0x0000000007A80000-0x00000000080FA000-memory.dmp

memory/5044-1704-0x00000000074B0000-0x00000000074BA000-memory.dmp

memory/5044-1706-0x00000000076C0000-0x0000000007756000-memory.dmp

memory/5044-1707-0x0000000007640000-0x0000000007651000-memory.dmp

memory/5044-1708-0x0000000007670000-0x000000000767E000-memory.dmp

memory/5044-1709-0x0000000007680000-0x0000000007694000-memory.dmp

memory/5044-1710-0x0000000007780000-0x000000000779A000-memory.dmp

memory/5044-1711-0x0000000007760000-0x0000000007768000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000356001\neon.exe

MD5 b3fd0e1003b1cd38402b6d32829f6135
SHA1 c9cedd6322fb83457f56b64b4624b07e2786f702
SHA256 e4a36be98f730d706d2ca97a5d687329a1cc7d4848daf698b7e21b6b9b577f31
SHA512 04692e0f80a75f78b533677cefe3db6607108abf19963d88e231925cfa13f1ec054811aebe53c82d238e732a999cd8d176107d50cf2ea5694d4177cbfd3b30f1

memory/5964-1733-0x00000000006C0000-0x0000000000A3C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 3d086a433708053f9bf9523e1d87a4e8
SHA1 b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA256 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

memory/5964-1735-0x0000000023A70000-0x0000000023B0E000-memory.dmp

memory/5456-1745-0x0000000005C40000-0x0000000005F94000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 86c51557e69093e28743b1edc854032a
SHA1 020b87ae865936aaa6bebe47d8acd08e6ff6d313
SHA256 1d4a9e9bc2dfce987d6d20bb80199037541ac5f8c067ef970272bd746c889b9c
SHA512 1c6670d4f037a4812ddf20ec4703e4d2234b0edfeb88959d23d38f79d298fb44e7ea2f11fa111d22ca41004d193ee864b663436791cea6b0e9d734b321233b3b

memory/5456-1765-0x00000000070E0000-0x0000000007183000-memory.dmp

memory/5456-1755-0x000000006CB80000-0x000000006CBCC000-memory.dmp

memory/5876-1772-0x0000000000800000-0x0000000000E99000-memory.dmp

memory/5456-1773-0x0000000007630000-0x0000000007641000-memory.dmp

memory/5736-1788-0x0000000000D90000-0x0000000001429000-memory.dmp

memory/5456-1790-0x0000000007660000-0x0000000007674000-memory.dmp

memory/5876-1789-0x0000000000800000-0x0000000000E99000-memory.dmp

memory/5736-1792-0x0000000000D90000-0x0000000001429000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000028001\8dbfa10f84.exe

MD5 79fda08d6cd311927c7d0eaed959553f
SHA1 4dfd21288d26ee265c3abba5d2e71963c32a4c29
SHA256 e68516f813a07bcdeb64d70caac4f382e7f3026a7639baa913f6e86256a35970
SHA512 110d187be4b9630ee07994b7087195e0b939d31872e0da63f403ebd706f14a64c7784d3a3068cbdeb864131c551423208c77b0e6a58ae01879c5e3b6bed0acd8

memory/6136-1811-0x0000000000A30000-0x0000000000EC8000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 c313136d763d1522d6f46157d7439bc9
SHA1 25e98b4f4edfe2266331f89a315b2a52cde7b179
SHA256 d8d542ecb5bcdca3ca5991223b7d40f15e04f4890308bede17878219be376be2
SHA512 93258ef29d3d0030ed54677ead20198d97b9a8cf22ea7b4cd63d4ca30d7f4c73d60f7528d39d3c5023c09e98848882ca0cea5260b110cb3141ba4e4c3161b681

C:\Users\Admin\AppData\Local\Temp\1000029001\07893e10c2.exe

MD5 5e8202d139d4f31cf0637105bfb93fcc
SHA1 7a73d8aed5a165c4a4db627c753ae092a6407de2
SHA256 8278c069e0fd88b41b19cf1d85fdc26cbf6947716f53a72491cb4792c20a3c56
SHA512 0a5230e4d1b698dace5b010ab9f58f7e669b447ecb109dbf7f56a1176138146d50cbe2d89f5d4fd8166b64545f6556e613f47cc1ef77726698f89ceab96e6ccf

memory/3216-1889-0x0000000000370000-0x0000000000816000-memory.dmp

memory/3216-1891-0x0000000000370000-0x0000000000816000-memory.dmp

memory/5964-1911-0x0000000025BF0000-0x0000000025C0A000-memory.dmp

memory/5964-1912-0x00000000258C0000-0x00000000258C6000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 4247b6a6b124c029709833a6c11b5d0d
SHA1 e38380e587a148286e1e1ef68579ca6f9fd88b24
SHA256 fc34c09c27cc01a95ffee8623c64449ac4fc81a1d42c21142237c354a9ccea3d
SHA512 708ff8cdf5308cbbc75137906ce5266986c2be1ef30afefce441bf002b33a8456a791d570d696d3059d0259c13460b64c1492e7887e88d4b2a8e316ba42ff145

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 21b51a705166ab5b74904f1e73ccfa18
SHA1 41804ff0e8aaab3760a2549c5dc473a23f6edca0
SHA256 2aff7e37d24fb397580bdd55a54bd7b7507a76cecafdb1b428cc5daeae82c749
SHA512 59f0304498335b23174d58096b02fdd5c4b059e72b917d0683e961878cf799f4aac2c603d9dd05297add446183a5f7a7fd4e5a9ff8b7352695169c5f5b9840ec

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

MD5 ea51d7184e4ccc157df81305fdc0229c
SHA1 275b2f1e13e5e3cab89ad4bc083e2e003473c05e
SHA256 f01d7af7267f81573802f59a0c0672f6f56af86fa5a985e6f23e6d34b438c6e5
SHA512 4be2fe52fcaff60f2e910b9ec2496a37e29ae1a5bd4364eefbf169ce54fff30926de969244d5e70f78513ceb11c337f6f43c4ffc663a273b116d55b9f4090dcc

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 502fba768c786002614837456b76c096
SHA1 7bf30c304d80e0e52b1994a4575a33ef19063ba9
SHA256 b80e02cb5b42046072dfd23b06ea63dfeaaaa521942344bb55c2b08bb925e2d9
SHA512 27d70d9a9352c7aa5c2407962e0bd4763fa8b8a5fc946a32f3245c1facb6f13da613cb990b0b47d23fe02cb19e9abe8e69d3253ab5750e4525d1ef6525fa7c66

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

MD5 60a261f93f3f46641056cc7ad68628b3
SHA1 724b520d19f969cad6b02e27a9ecb3ad46554fc7
SHA256 5c38c462054f61308c5a8c7f9bcc9a9bf4f3032877f9109e486c76ccb18658a2
SHA512 1c4a23acebd87e65430ef0df34f00e995333383d6814b892b24fc54f37b994dcf47d98771d34b05f3ea433f969c257caf96a137fae6f3ddc93c64d7661aca664

memory/1848-2095-0x0000000000980000-0x0000000000E29000-memory.dmp

memory/540-2096-0x0000000000A30000-0x0000000000EC8000-memory.dmp

memory/1848-2098-0x0000000000980000-0x0000000000E29000-memory.dmp

memory/540-2100-0x0000000000A30000-0x0000000000EC8000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 2e697a276eff0551361a6007b926c80e
SHA1 79b889c22210463cbd855cb19cbb4b8508dbeec5
SHA256 ca70708fee2114ba548d908ad147dddc1dcbb5881a850e43b08aaf9c16112318
SHA512 6deafe23673d87f37904a79f3b4e57bc6708fad819d8401d2ed5cf7dc00c5c29055858a378094142e3a4abcf4a5066b3b029dea7efa0057b5098b86fc1ed377e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 da13cff4f102ef50082bcad1fd3d32c4
SHA1 38b150d79d525f153b379ed85ea90f9eba40e0a7
SHA256 5548f746661e6457857e61048597db48903c0799f19fb8321261c624f1dd19d9
SHA512 ff289b4e14d7b296b44c8c0b5c0de6d29193de87a18b090cec0284ed30606edc9ecb7486b4af55d59ed5ed3f34c7bd953dcfb77d183417f815eab381bc4efeb2

C:\Users\Admin\AppData\Local\Temp\neon.exe

MD5 0e362e7005823d0bec3719b902ed6d62
SHA1 590d860b909804349e0cdc2f1662b37bd62f7463
SHA256 2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad
SHA512 518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

memory/5576-2182-0x0000000000A60000-0x0000000000A7A000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 0d78ce18841ba6ec4ef13c943b16d8a5
SHA1 ab9a2bea94fdd77cbba7e035b9acfc64144a4494
SHA256 ae5ecd4fc59d5f1629849f4e8d2a19d6bc7c5f50e706bee4fdec9d46fe30c809
SHA512 4f85ac2393986eadfe5fd423953c5c26d84988eedb7273ada7c692d2ce9938c93fd26faf41dcdfea921c10b5967f39949306a733454f3a49512122df9325d0ae

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 3f41c9f67e75aae0b7009cd75b0d4b51
SHA1 c66065384f9b7f1865e48d9cbfbe33d28135ec97
SHA256 efdf567e18db2e6db67d0d5f732b822ba8bb255e08b065a3d614af2fc59b9af0
SHA512 d611f0c62e59c6e7715842c96c3165142bc4978114e576f2bdd9246f4824764593e2252f9da5d133e154c81fc933205ce583e6a4c89feb89d1dda7fa868690cb

memory/656-2355-0x0000000000400000-0x00000000006FC000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 11d6a7928b1e2de4e2ba3f96591a890e
SHA1 5b81e290bf9c52a8d9af318ba41e86d9ae93e119
SHA256 5ff7408d937497dfd2c29e415ad45c7a04e2de213119d380aed7162f18362c80
SHA512 f1f12393967e73641fef36907959d0ccfcaa12c1874a1bcde889fe654841203f3943a08c4d9db3cafcc475f6ad717082fb68343eb0aef43d434037e9db5431b0

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 58e512e3b8b47e264fb25f0e17589baa
SHA1 f48682565acedf1bef63e2d96b39c194de1bb60a
SHA256 ad3124a97debcc5dcc46e31320ae2b9bf1a00196ea7b69bcd0997882ef3f402b
SHA512 2c5e11d7b07e2c06aa67a4c1f765be3d8e11430e16ed057c8d9674cda5211716f35749ab0029537eb986aadf95116e896e7a46e1cbeeb2f9cc7221b88c44b12c

memory/5816-2593-0x0000000040000000-0x0000000040030000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 25ab11b391f99ef756200d1d19217579
SHA1 e2459dcdf002ec3ee3ef421252a4c86a35fa9618
SHA256 752e82473945d214a518a3b058ad6330873411af8c597b9eac6726a6e068674f
SHA512 763988ae1d90ee7c97c1116ea4bd9a11befb9eb43b46d8a0b9d10143743a09a486e65ad5c5701416ca7517b5081e4df0ef98afd491f4d3394e4dafa2b771e97d

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 16f23a1d7783cc715d0b9ae8514312db
SHA1 6a0cbd0a5cf546605fd7b43689fc98c839e49938
SHA256 a198afc088f59013393271cd67adffdff646dfa550282e6a7bc24a653328b43e
SHA512 c3382615c9a6749771376b95cda3f653cdff00631d36e2e06935672fe61e3efde7a0272cb62f68be6649a480ba55365f56d7d006fef6cbc0238108377f73e5d1

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

MD5 f8b504c854421c964418ce0fbb2d2a0d
SHA1 b6145d93c737103d69a5f64cd0b243ef24209a93
SHA256 a5eaa63cf973f9a01d74ec2180fcb4d198ff7fccc12d8de1ff277f0014747fd4
SHA512 b483e0c6c39450523b4b275efcbfd442c8cdb5191aa7a5488a8fd249a558659fb28c7c8078cf5104f6f4d89550a7b51c971c3319f59d6b4eb741fcefe45544c1

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 c9c69ad21161b0d56694127fab8e94d5
SHA1 af60798ac1af12ed6d8ce25004509a2e7e16000c
SHA256 346501df1bbe7f6d6f507a7dc27277d6cad55d0c19e2611f376e085d03056fb4
SHA512 96b0d7db50bb81d2725ee92cbd86dd743b74ab540fbfe0560f3fd2f9d5b0c720ec16fd3c7f4950c5d17b38dc9bc3b2c7919c27e78607ca3812b2e5bfa38035d8

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 a0fc2c1e9b2dae846b6d0d75efbfda32
SHA1 b8cd630c49acc9be9587417a72c34a9ed078450d
SHA256 23899bce632e7765d62c553753e6d62e96db97e9ee134682f7ac8a56cf568068
SHA512 7ca449e8b50487bb97d831e33b96af81fb26d758580a41c20cbb626e23708a8ea255bac2d35056f150eb18d8cb99da837d836ef141003f3940ef33a346ee6cf2

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 031377190045e9c4e9c940b1cea41ef7
SHA1 dd9060994adff4103faaf04c2550d956ad193d9b
SHA256 d4fc3bdd101da9ca2a8cd4cafa0fd6b4092221207095a6c5cfdc1c9801c4173d
SHA512 f1cb0cf8befec2b7886893990ab76ad70f76297490a791df87fcffd60bcf9dbe62926bf6a10eb5f8b799fb86a8048d6f90a7d15ccb9418858d4e914d89cf400c

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 ec4b29754a4d7c9df317ae625c192298
SHA1 3ca1de36983d1481ddeeb401af3294ec7c95ac22
SHA256 db55b94d0632be10191b6270e88283ae1249c0cf891601843ef7c581eed43570
SHA512 b960d8f7d19eb10d39f5741d795b50dd9555b92542b73311e0c91bbd5ac124f75b9f7c93f692ce3c919ee35703ecd5efa8ec315d7f76bab61e8c11d95bff8f16