Malware Analysis Report

2024-10-18 23:35

Sample ID 240927-g2rf7syfrj
Target 1d51503c34d63c3df4687f630c252b7a0a9cb194f42a7af8cf3b9c8c51642f37
SHA256 1d51503c34d63c3df4687f630c252b7a0a9cb194f42a7af8cf3b9c8c51642f37
Tags
amadey fed3aa discovery evasion trojan asyncrat lumma redline stealc xworm 9c9aa5 @logscloudyt_bot default default2 livetraffic newbundle2 save tg cloud @rlreborn admin @fatherofcarders collection credential_access execution infostealer persistence rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1d51503c34d63c3df4687f630c252b7a0a9cb194f42a7af8cf3b9c8c51642f37

Threat Level: Known bad

The file 1d51503c34d63c3df4687f630c252b7a0a9cb194f42a7af8cf3b9c8c51642f37 was found to be: Known bad.

Malicious Activity Summary

amadey fed3aa discovery evasion trojan asyncrat lumma redline stealc xworm 9c9aa5 @logscloudyt_bot default default2 livetraffic newbundle2 save tg cloud @rlreborn admin @fatherofcarders collection credential_access execution infostealer persistence rat spyware stealer

Amadey

AsyncRat

Detect Xworm Payload

Lumma Stealer, LummaC

RedLine payload

RedLine

Suspicious use of NtCreateUserProcessOtherParentProcess

Xworm

Stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Command and Scripting Interpreter: PowerShell

Unexpected DNS network traffic destination

Identifies Wine through registry keys

Checks computer location settings

Executes dropped EXE

Unsecured Credentials: Credentials In Files

Reads data files stored by FTP clients

Loads dropped DLL

Reads user/profile data of web browsers

Checks BIOS information in registry

Adds Run key to start application

Accesses Microsoft Outlook profiles

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Looks up external IP address via web service

Suspicious use of NtSetInformationThreadHideFromDebugger

AutoIT Executable

Suspicious use of SetThreadContext

Drops file in Windows directory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Program crash

Unsigned PE

System Network Configuration Discovery: Internet Connection Discovery

Browser Information Discovery

Modifies data under HKEY_USERS

outlook_office_path

Runs ping.exe

Suspicious behavior: AddClipboardFormatListener

Enumerates system info in registry

Modifies system certificate store

Suspicious use of AdjustPrivilegeToken

Checks processor information in registry

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

outlook_win_path

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-27 06:18

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-27 06:18

Reported

2024-09-27 06:20

Platform

win7-20240708-en

Max time kernel

141s

Max time network

141s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1d51503c34d63c3df4687f630c252b7a0a9cb194f42a7af8cf3b9c8c51642f37.exe"

Signatures

Amadey

trojan amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1d51503c34d63c3df4687f630c252b7a0a9cb194f42a7af8cf3b9c8c51642f37.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1d51503c34d63c3df4687f630c252b7a0a9cb194f42a7af8cf3b9c8c51642f37.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1d51503c34d63c3df4687f630c252b7a0a9cb194f42a7af8cf3b9c8c51642f37.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1d51503c34d63c3df4687f630c252b7a0a9cb194f42a7af8cf3b9c8c51642f37.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1d51503c34d63c3df4687f630c252b7a0a9cb194f42a7af8cf3b9c8c51642f37.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\axplong.job C:\Users\Admin\AppData\Local\Temp\1d51503c34d63c3df4687f630c252b7a0a9cb194f42a7af8cf3b9c8c51642f37.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1d51503c34d63c3df4687f630c252b7a0a9cb194f42a7af8cf3b9c8c51642f37.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1d51503c34d63c3df4687f630c252b7a0a9cb194f42a7af8cf3b9c8c51642f37.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1d51503c34d63c3df4687f630c252b7a0a9cb194f42a7af8cf3b9c8c51642f37.exe

"C:\Users\Admin\AppData\Local\Temp\1d51503c34d63c3df4687f630c252b7a0a9cb194f42a7af8cf3b9c8c51642f37.exe"

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

"C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"

Network

Country Destination Domain Proto
RU 185.215.113.16:80 185.215.113.16 tcp

Files

memory/808-0-0x0000000000BB0000-0x0000000001085000-memory.dmp

memory/808-1-0x00000000774E0000-0x00000000774E2000-memory.dmp

memory/808-2-0x0000000000BB1000-0x0000000000BDF000-memory.dmp

memory/808-3-0x0000000000BB0000-0x0000000001085000-memory.dmp

memory/808-5-0x0000000000BB0000-0x0000000001085000-memory.dmp

memory/808-9-0x0000000000BB0000-0x0000000001085000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

MD5 8bd20ee350a72cee7fbf9228e2827c21
SHA1 e7d79089911c45a5ba54b026409e43211a469469
SHA256 1d51503c34d63c3df4687f630c252b7a0a9cb194f42a7af8cf3b9c8c51642f37
SHA512 768e0488e8922ca1a6c4df3a44bb7766a91bb82b4de3cf83054e81ec228399c8fd978880084cd7fc4d3d5f3a4c6f3c6575e997c05bd01e06dfdba045e2e6b2cd

memory/808-16-0x0000000000BB0000-0x0000000001085000-memory.dmp

memory/2200-17-0x0000000000390000-0x0000000000865000-memory.dmp

memory/2200-18-0x0000000000391000-0x00000000003BF000-memory.dmp

memory/2200-19-0x0000000000390000-0x0000000000865000-memory.dmp

memory/2200-21-0x0000000000390000-0x0000000000865000-memory.dmp

memory/2200-22-0x0000000000390000-0x0000000000865000-memory.dmp

memory/2200-23-0x0000000000390000-0x0000000000865000-memory.dmp

memory/2200-24-0x0000000000390000-0x0000000000865000-memory.dmp

memory/2200-25-0x0000000000390000-0x0000000000865000-memory.dmp

memory/2200-26-0x0000000000390000-0x0000000000865000-memory.dmp

memory/2200-27-0x0000000000390000-0x0000000000865000-memory.dmp

memory/2200-28-0x0000000000390000-0x0000000000865000-memory.dmp

memory/2200-29-0x0000000000390000-0x0000000000865000-memory.dmp

memory/2200-30-0x0000000000390000-0x0000000000865000-memory.dmp

memory/2200-31-0x0000000000390000-0x0000000000865000-memory.dmp

memory/2200-32-0x0000000000390000-0x0000000000865000-memory.dmp

memory/2200-33-0x0000000000390000-0x0000000000865000-memory.dmp

memory/2200-34-0x0000000000390000-0x0000000000865000-memory.dmp

memory/2200-35-0x0000000000390000-0x0000000000865000-memory.dmp

memory/2200-36-0x0000000000390000-0x0000000000865000-memory.dmp

memory/2200-37-0x0000000000390000-0x0000000000865000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-27 06:18

Reported

2024-09-27 06:20

Platform

win10v2004-20240802-en

Max time kernel

150s

Max time network

151s

Command Line

C:\Windows\Explorer.EXE

Signatures

Amadey

trojan amadey

AsyncRat

rat asyncrat

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

Lumma Stealer, LummaC

stealer lumma

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Stealc

stealer stealc

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 1572 created 3348 N/A C:\Users\Admin\AppData\Local\Temp\1000342001\rstxdhuj.exe C:\Windows\Explorer.EXE

Xworm

trojan rat xworm

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1000355001\3e3f5d198d.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1000023001\b8e0eb3b41.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1d51503c34d63c3df4687f630c252b7a0a9cb194f42a7af8cf3b9c8c51642f37.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1000354001\78239afd70.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1000029001\d20bc07819.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\1000026002\d9dcad593c.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1d51503c34d63c3df4687f630c252b7a0a9cb194f42a7af8cf3b9c8c51642f37.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1000354001\78239afd70.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1000355001\3e3f5d198d.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1000029001\d20bc07819.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1000029001\d20bc07819.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1000354001\78239afd70.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1000355001\3e3f5d198d.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\1000026002\d9dcad593c.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\1000026002\d9dcad593c.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1d51503c34d63c3df4687f630c252b7a0a9cb194f42a7af8cf3b9c8c51642f37.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1000023001\b8e0eb3b41.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1000023001\b8e0eb3b41.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1000028001\e8e97a2a56.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1000356001\neon.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1000355001\3e3f5d198d.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\neon.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1d51503c34d63c3df4687f630c252b7a0a9cb194f42a7af8cf3b9c8c51642f37.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000004001\12dsvc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\hTeItleYKL.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\rXPieE3Lxl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\stories.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-RL1AA.tmp\stories.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Fido Video Recorder\gerdaplay3se.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000191001\needmoney.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000254001\penis.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000290001\crypted.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000314001\LummaC222222.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost015.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000322001\newbundle2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000342001\rstxdhuj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000349001\cccc2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000354001\78239afd70.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000355001\3e3f5d198d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000356001\neon.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000023001\b8e0eb3b41.exe N/A
N/A N/A C:\Users\Admin\1000026002\d9dcad593c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\e8e97a2a56.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000029001\d20bc07819.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\neon.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\neon.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1000023001\b8e0eb3b41.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Wine C:\Users\Admin\1000026002\d9dcad593c.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1d51503c34d63c3df4687f630c252b7a0a9cb194f42a7af8cf3b9c8c51642f37.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1000354001\78239afd70.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1000355001\3e3f5d198d.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1000029001\d20bc07819.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Unexpected DNS network traffic destination

Description Indicator Process Target
Destination IP 152.89.198.214 N/A N/A

Unsecured Credentials: Credentials In Files

credential_access stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\e8e97a2a56.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000028001\\e8e97a2a56.exe" C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\neon = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\neon.exe" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ylrdnrwcx = "C:\\Users\\Admin\\AppData\\Roaming\\Ylrdnrwcx.exe" C:\Users\Admin\AppData\Local\Temp\1000342001\rstxdhuj.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\78239afd70.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000354001\\78239afd70.exe" C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\3e3f5d198d.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000355001\\3e3f5d198d.exe" C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\b8e0eb3b41.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000023001\\b8e0eb3b41.exe" C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d9dcad593c.exe = "C:\\Users\\Admin\\1000026002\\d9dcad593c.exe" C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\axplong.job C:\Users\Admin\AppData\Local\Temp\1d51503c34d63c3df4687f630c252b7a0a9cb194f42a7af8cf3b9c8c51642f37.exe N/A
File created C:\Windows\Tasks\Hkbsse.job C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe N/A
File created C:\Windows\Tasks\skotes.job C:\Users\Admin\AppData\Local\Temp\1000355001\3e3f5d198d.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-RL1AA.tmp\stories.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000290001\crypted.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000349001\cccc2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000004001\12dsvc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000029001\d20bc07819.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\neon.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\rXPieE3Lxl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\svchost015.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000355001\3e3f5d198d.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000191001\needmoney.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Fido Video Recorder\gerdaplay3se.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000322001\newbundle2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000023001\b8e0eb3b41.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\hTeItleYKL.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000342001\rstxdhuj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\1000026002\d9dcad593c.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000065001\stories.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000314001\LummaC222222.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\neon.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1d51503c34d63c3df4687f630c252b7a0a9cb194f42a7af8cf3b9c8c51642f37.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000028001\e8e97a2a56.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000254001\penis.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000354001\78239afd70.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\SYSTEM32\cmd.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133718915452512384" C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1d51503c34d63c3df4687f630c252b7a0a9cb194f42a7af8cf3b9c8c51642f37.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1d51503c34d63c3df4687f630c252b7a0a9cb194f42a7af8cf3b9c8c51642f37.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-RL1AA.tmp\stories.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-RL1AA.tmp\stories.tmp N/A
N/A N/A C:\Users\Admin\AppData\Roaming\rXPieE3Lxl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\rXPieE3Lxl.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\rXPieE3Lxl.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\rXPieE3Lxl.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\rXPieE3Lxl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000254001\penis.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000254001\penis.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000342001\rstxdhuj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000342001\rstxdhuj.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000354001\78239afd70.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000354001\78239afd70.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000322001\newbundle2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000322001\newbundle2.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000355001\3e3f5d198d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000355001\3e3f5d198d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000322001\newbundle2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000322001\newbundle2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000322001\newbundle2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000322001\newbundle2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000356001\neon.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000356001\neon.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000356001\neon.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000023001\b8e0eb3b41.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000023001\b8e0eb3b41.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
N/A N/A C:\Users\Admin\1000026002\d9dcad593c.exe N/A
N/A N/A C:\Users\Admin\1000026002\d9dcad593c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000356001\neon.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000356001\neon.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000029001\d20bc07819.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000029001\d20bc07819.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000356001\neon.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\neon.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\e8e97a2a56.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\rXPieE3Lxl.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000254001\penis.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000254001\penis.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000254001\penis.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000254001\penis.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000254001\penis.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000254001\penis.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000342001\rstxdhuj.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000342001\rstxdhuj.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000322001\newbundle2.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000356001\neon.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1d51503c34d63c3df4687f630c252b7a0a9cb194f42a7af8cf3b9c8c51642f37.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-RL1AA.tmp\stories.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\e8e97a2a56.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\e8e97a2a56.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\e8e97a2a56.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\e8e97a2a56.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\e8e97a2a56.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\e8e97a2a56.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\e8e97a2a56.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\e8e97a2a56.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\e8e97a2a56.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\e8e97a2a56.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\e8e97a2a56.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\e8e97a2a56.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\e8e97a2a56.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\e8e97a2a56.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\e8e97a2a56.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\e8e97a2a56.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\e8e97a2a56.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\e8e97a2a56.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\e8e97a2a56.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\e8e97a2a56.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\e8e97a2a56.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\e8e97a2a56.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\e8e97a2a56.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\e8e97a2a56.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\e8e97a2a56.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\e8e97a2a56.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\e8e97a2a56.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\e8e97a2a56.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\e8e97a2a56.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\e8e97a2a56.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\e8e97a2a56.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\e8e97a2a56.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\e8e97a2a56.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\e8e97a2a56.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\e8e97a2a56.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\e8e97a2a56.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\e8e97a2a56.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\e8e97a2a56.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\e8e97a2a56.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\e8e97a2a56.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\e8e97a2a56.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\e8e97a2a56.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\e8e97a2a56.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\e8e97a2a56.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\e8e97a2a56.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\e8e97a2a56.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\e8e97a2a56.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\e8e97a2a56.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\e8e97a2a56.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\e8e97a2a56.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\e8e97a2a56.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\e8e97a2a56.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\e8e97a2a56.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\e8e97a2a56.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\e8e97a2a56.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\e8e97a2a56.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\e8e97a2a56.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\e8e97a2a56.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\e8e97a2a56.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\e8e97a2a56.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\e8e97a2a56.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\e8e97a2a56.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\e8e97a2a56.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\e8e97a2a56.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\e8e97a2a56.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\e8e97a2a56.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\e8e97a2a56.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\e8e97a2a56.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\e8e97a2a56.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\e8e97a2a56.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\e8e97a2a56.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\e8e97a2a56.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\e8e97a2a56.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\e8e97a2a56.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\e8e97a2a56.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4936 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Temp\1d51503c34d63c3df4687f630c252b7a0a9cb194f42a7af8cf3b9c8c51642f37.exe C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
PID 4936 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Temp\1d51503c34d63c3df4687f630c252b7a0a9cb194f42a7af8cf3b9c8c51642f37.exe C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
PID 4936 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Temp\1d51503c34d63c3df4687f630c252b7a0a9cb194f42a7af8cf3b9c8c51642f37.exe C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
PID 4428 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe
PID 4428 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe
PID 4428 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe
PID 2040 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2040 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2040 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2040 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2040 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2040 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2040 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2040 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4428 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000004001\12dsvc.exe
PID 4428 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000004001\12dsvc.exe
PID 4428 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000004001\12dsvc.exe
PID 2092 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\1000004001\12dsvc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2092 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\1000004001\12dsvc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2092 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\1000004001\12dsvc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2092 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\1000004001\12dsvc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2092 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\1000004001\12dsvc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2092 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\1000004001\12dsvc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2092 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\1000004001\12dsvc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2092 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\1000004001\12dsvc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2092 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\1000004001\12dsvc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2092 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\1000004001\12dsvc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4428 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe
PID 4428 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe
PID 4428 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe
PID 1724 wrote to memory of 4364 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Roaming\hTeItleYKL.exe
PID 1724 wrote to memory of 4364 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Roaming\hTeItleYKL.exe
PID 1724 wrote to memory of 4364 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Roaming\hTeItleYKL.exe
PID 1724 wrote to memory of 2688 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Roaming\rXPieE3Lxl.exe
PID 1724 wrote to memory of 2688 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Roaming\rXPieE3Lxl.exe
PID 1724 wrote to memory of 2688 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Roaming\rXPieE3Lxl.exe
PID 1956 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
PID 1956 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
PID 1956 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
PID 4428 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe
PID 4428 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe
PID 4428 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe
PID 1240 wrote to memory of 3748 N/A C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe C:\Users\Admin\AppData\Local\Temp\1000065001\stories.exe
PID 1240 wrote to memory of 3748 N/A C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe C:\Users\Admin\AppData\Local\Temp\1000065001\stories.exe
PID 1240 wrote to memory of 3748 N/A C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe C:\Users\Admin\AppData\Local\Temp\1000065001\stories.exe
PID 3748 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Temp\1000065001\stories.exe C:\Users\Admin\AppData\Local\Temp\is-RL1AA.tmp\stories.tmp
PID 3748 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Temp\1000065001\stories.exe C:\Users\Admin\AppData\Local\Temp\is-RL1AA.tmp\stories.tmp
PID 3748 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Temp\1000065001\stories.exe C:\Users\Admin\AppData\Local\Temp\is-RL1AA.tmp\stories.tmp
PID 5004 wrote to memory of 756 N/A C:\Users\Admin\AppData\Local\Temp\is-RL1AA.tmp\stories.tmp C:\Users\Admin\AppData\Local\Fido Video Recorder\gerdaplay3se.exe
PID 5004 wrote to memory of 756 N/A C:\Users\Admin\AppData\Local\Temp\is-RL1AA.tmp\stories.tmp C:\Users\Admin\AppData\Local\Fido Video Recorder\gerdaplay3se.exe
PID 5004 wrote to memory of 756 N/A C:\Users\Admin\AppData\Local\Temp\is-RL1AA.tmp\stories.tmp C:\Users\Admin\AppData\Local\Fido Video Recorder\gerdaplay3se.exe
PID 4428 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000191001\needmoney.exe
PID 4428 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000191001\needmoney.exe
PID 4428 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000191001\needmoney.exe
PID 4428 wrote to memory of 832 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000254001\penis.exe
PID 4428 wrote to memory of 832 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000254001\penis.exe
PID 4428 wrote to memory of 832 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000254001\penis.exe
PID 4428 wrote to memory of 3160 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000290001\crypted.exe
PID 4428 wrote to memory of 3160 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000290001\crypted.exe
PID 4428 wrote to memory of 3160 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000290001\crypted.exe
PID 3160 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\1000290001\crypted.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3160 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\1000290001\crypted.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3160 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\1000290001\crypted.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3160 wrote to memory of 4756 N/A C:\Users\Admin\AppData\Local\Temp\1000290001\crypted.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe N/A

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\1d51503c34d63c3df4687f630c252b7a0a9cb194f42a7af8cf3b9c8c51642f37.exe

"C:\Users\Admin\AppData\Local\Temp\1d51503c34d63c3df4687f630c252b7a0a9cb194f42a7af8cf3b9c8c51642f37.exe"

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

"C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"

C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe

"C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000004001\12dsvc.exe

"C:\Users\Admin\AppData\Local\Temp\1000004001\12dsvc.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe

"C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe"

C:\Users\Admin\AppData\Roaming\hTeItleYKL.exe

"C:\Users\Admin\AppData\Roaming\hTeItleYKL.exe"

C:\Users\Admin\AppData\Roaming\rXPieE3Lxl.exe

"C:\Users\Admin\AppData\Roaming\rXPieE3Lxl.exe"

C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe

"C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe"

C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe

"C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe"

C:\Users\Admin\AppData\Local\Temp\1000065001\stories.exe

"C:\Users\Admin\AppData\Local\Temp\1000065001\stories.exe"

C:\Users\Admin\AppData\Local\Temp\is-RL1AA.tmp\stories.tmp

"C:\Users\Admin\AppData\Local\Temp\is-RL1AA.tmp\stories.tmp" /SL5="$60278,3554050,56832,C:\Users\Admin\AppData\Local\Temp\1000065001\stories.exe"

C:\Users\Admin\AppData\Local\Fido Video Recorder\gerdaplay3se.exe

"C:\Users\Admin\AppData\Local\Fido Video Recorder\gerdaplay3se.exe" -i

C:\Users\Admin\AppData\Local\Temp\1000191001\needmoney.exe

"C:\Users\Admin\AppData\Local\Temp\1000191001\needmoney.exe"

C:\Users\Admin\AppData\Local\Temp\1000254001\penis.exe

"C:\Users\Admin\AppData\Local\Temp\1000254001\penis.exe"

C:\Users\Admin\AppData\Local\Temp\1000290001\crypted.exe

"C:\Users\Admin\AppData\Local\Temp\1000290001\crypted.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000314001\LummaC222222.exe

"C:\Users\Admin\AppData\Local\Temp\1000314001\LummaC222222.exe"

C:\Users\Admin\AppData\Local\Temp\svchost015.exe

C:\Users\Admin\AppData\Local\Temp\svchost015.exe

C:\Users\Admin\AppData\Local\Temp\1000322001\newbundle2.exe

"C:\Users\Admin\AppData\Local\Temp\1000322001\newbundle2.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3332 -ip 3332

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3332 -s 1232

C:\Users\Admin\AppData\Local\Temp\1000342001\rstxdhuj.exe

"C:\Users\Admin\AppData\Local\Temp\1000342001\rstxdhuj.exe"

C:\Users\Admin\AppData\Local\Temp\1000349001\cccc2.exe

"C:\Users\Admin\AppData\Local\Temp\1000349001\cccc2.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"

C:\Users\Admin\AppData\Local\Temp\1000354001\78239afd70.exe

"C:\Users\Admin\AppData\Local\Temp\1000354001\78239afd70.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe'

C:\Users\Admin\AppData\Local\Temp\1000355001\3e3f5d198d.exe

"C:\Users\Admin\AppData\Local\Temp\1000355001\3e3f5d198d.exe"

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"

C:\Users\Admin\AppData\Local\Temp\1000356001\neon.exe

"C:\Users\Admin\AppData\Local\Temp\1000356001\neon.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'InstallUtil.exe'

C:\Users\Admin\AppData\Local\Temp\1000023001\b8e0eb3b41.exe

"C:\Users\Admin\AppData\Local\Temp\1000023001\b8e0eb3b41.exe"

C:\Users\Admin\1000026002\d9dcad593c.exe

"C:\Users\Admin\1000026002\d9dcad593c.exe"

C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe

C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

C:\Users\Admin\AppData\Local\Temp\1000028001\e8e97a2a56.exe

"C:\Users\Admin\AppData\Local\Temp\1000028001\e8e97a2a56.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffef218cc40,0x7ffef218cc4c,0x7ffef218cc58

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1928,i,4468346804886424740,15127152140368809931,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1924 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2160,i,4468346804886424740,15127152140368809931,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2184 /prefetch:3

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2260,i,4468346804886424740,15127152140368809931,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2604 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3160,i,4468346804886424740,15127152140368809931,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3188 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3176,i,4468346804886424740,15127152140368809931,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3352 /prefetch:1

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"

C:\Windows\SYSTEM32\cmd.exe

"cmd" /c ping 127.0.0.1 -n 7 > nul && REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "neon" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\neon.exe"

C:\Windows\system32\PING.EXE

ping 127.0.0.1 -n 7

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"

C:\Users\Admin\AppData\Local\Temp\1000029001\d20bc07819.exe

"C:\Users\Admin\AppData\Local\Temp\1000029001\d20bc07819.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4664,i,4468346804886424740,15127152140368809931,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4504 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4792,i,4468346804886424740,15127152140368809931,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4832 /prefetch:8

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc

C:\Windows\system32\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "neon" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\neon.exe"

C:\Users\Admin\AppData\Local\Temp\neon.exe

"C:\Users\Admin\AppData\Local\Temp\neon.exe"

C:\Users\Admin\AppData\Local\Temp\neon.exe

"C:\Users\Admin\AppData\Local\Temp\neon.exe"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe

C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffef218cc40,0x7ffef218cc4c,0x7ffef218cc58

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1764,i,8587357802030050830,2461173482716876987,262144 --variations-seed-version=20240926-180503.836000 --mojo-platform-channel-handle=1760 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1928,i,8587357802030050830,2461173482716876987,262144 --variations-seed-version=20240926-180503.836000 --mojo-platform-channel-handle=2168 /prefetch:3

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2288,i,8587357802030050830,2461173482716876987,262144 --variations-seed-version=20240926-180503.836000 --mojo-platform-channel-handle=2564 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3152,i,8587357802030050830,2461173482716876987,262144 --variations-seed-version=20240926-180503.836000 --mojo-platform-channel-handle=3188 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3168,i,8587357802030050830,2461173482716876987,262144 --variations-seed-version=20240926-180503.836000 --mojo-platform-channel-handle=3344 /prefetch:1

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4644,i,8587357802030050830,2461173482716876987,262144 --variations-seed-version=20240926-180503.836000 --mojo-platform-channel-handle=4656 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4780,i,8587357802030050830,2461173482716876987,262144 --variations-seed-version=20240926-180503.836000 --mojo-platform-channel-handle=4788 /prefetch:8

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
RU 185.215.113.16:80 185.215.113.16 tcp
RU 185.215.113.117:80 185.215.113.117 tcp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 16.113.215.185.in-addr.arpa udp
NL 194.116.215.195:80 194.116.215.195 tcp
US 8.8.8.8:53 117.113.215.185.in-addr.arpa udp
RU 185.215.113.26:80 185.215.113.26 tcp
US 8.8.8.8:53 195.215.116.194.in-addr.arpa udp
DE 95.179.250.45:26212 tcp
US 8.8.8.8:53 26.113.215.185.in-addr.arpa udp
RU 185.215.113.26:80 185.215.113.26 tcp
US 8.8.8.8:53 lootebarrkeyn.shop udp
FI 65.21.18.51:45580 tcp
RU 176.113.115.95:80 176.113.115.95 tcp
US 8.8.8.8:53 51.18.21.65.in-addr.arpa udp
RU 185.215.113.17:80 185.215.113.17 tcp
US 8.8.8.8:53 gutterydhowi.shop udp
US 172.67.132.32:443 gutterydhowi.shop tcp
US 8.8.8.8:53 95.115.113.176.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 17.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 ghostreedmnu.shop udp
US 172.67.142.10:443 ghostreedmnu.shop tcp
US 8.8.8.8:53 offensivedzvju.shop udp
US 104.21.13.39:443 offensivedzvju.shop tcp
US 8.8.8.8:53 vozmeatillu.shop udp
US 104.21.60.251:443 vozmeatillu.shop tcp
US 8.8.8.8:53 32.132.67.172.in-addr.arpa udp
US 8.8.8.8:53 10.142.67.172.in-addr.arpa udp
US 8.8.8.8:53 39.13.21.104.in-addr.arpa udp
US 8.8.8.8:53 drawzhotdog.shop udp
US 172.67.162.108:443 drawzhotdog.shop tcp
US 8.8.8.8:53 fragnantbui.shop udp
US 172.67.195.251:443 fragnantbui.shop tcp
US 8.8.8.8:53 251.60.21.104.in-addr.arpa udp
US 8.8.8.8:53 108.162.67.172.in-addr.arpa udp
US 8.8.8.8:53 251.195.67.172.in-addr.arpa udp
US 8.8.8.8:53 stogeneratmns.shop udp
US 104.21.58.102:443 stogeneratmns.shop tcp
US 8.8.8.8:53 reinforcenh.shop udp
US 172.67.208.139:443 reinforcenh.shop tcp
US 8.8.8.8:53 steamcommunity.com udp
GB 104.82.234.109:443 steamcommunity.com tcp
US 8.8.8.8:53 102.58.21.104.in-addr.arpa udp
US 8.8.8.8:53 139.208.67.172.in-addr.arpa udp
US 8.8.8.8:53 109.234.82.104.in-addr.arpa udp
US 172.67.128.144:443 ballotnwu.site tcp
US 8.8.8.8:53 144.128.67.172.in-addr.arpa udp
NL 89.105.223.196:29862 tcp
US 8.8.8.8:53 196.223.105.89.in-addr.arpa udp
FI 95.216.143.20:12695 tcp
US 8.8.8.8:53 racedsuitreow.shop udp
US 8.8.8.8:53 20.143.216.95.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 defenddsouneuw.shop udp
US 104.21.26.56:443 defenddsouneuw.shop tcp
RU 185.215.113.67:15206 tcp
US 8.8.8.8:53 56.26.21.104.in-addr.arpa udp
US 8.8.8.8:53 67.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 google.com udp
RU 185.215.113.103:80 185.215.113.103 tcp
TM 91.202.233.158:80 91.202.233.158 tcp
US 8.8.8.8:53 103.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 158.233.202.91.in-addr.arpa udp
RU 185.215.113.37:80 185.215.113.37 tcp
US 172.67.162.108:443 drawzhotdog.shop tcp
US 8.8.8.8:53 37.113.215.185.in-addr.arpa udp
US 172.67.132.32:443 gutterydhowi.shop tcp
US 172.67.142.10:443 ghostreedmnu.shop tcp
US 104.21.13.39:443 offensivedzvju.shop tcp
US 104.21.60.251:443 vozmeatillu.shop tcp
US 172.67.195.251:443 fragnantbui.shop tcp
US 104.21.58.102:443 stogeneratmns.shop tcp
US 172.67.208.139:443 reinforcenh.shop tcp
GB 104.82.234.109:443 steamcommunity.com tcp
US 172.67.128.144:443 ballotnwu.site tcp
RU 185.215.113.43:80 185.215.113.43 tcp
US 8.8.8.8:53 43.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
DE 95.179.250.45:26212 tcp
RU 185.215.113.37:80 185.215.113.37 tcp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
RU 185.215.113.37:80 185.215.113.37 tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
RU 185.215.113.103:80 185.215.113.103 tcp
US 8.8.8.8:53 youtube.com udp
GB 142.250.179.238:443 youtube.com tcp
US 8.8.8.8:53 www.youtube.com udp
RU 185.215.113.16:80 185.215.113.16 tcp
US 8.8.8.8:53 consent.youtube.com udp
GB 142.250.187.238:443 consent.youtube.com tcp
US 8.8.8.8:53 74.204.58.216.in-addr.arpa udp
US 8.8.8.8:53 238.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 238.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 10.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.180.4:443 www.google.com tcp
US 8.8.8.8:53 35.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 4.180.250.142.in-addr.arpa udp
NL 188.190.10.161:4444 tcp
US 8.8.8.8:53 clients2.google.com udp
GB 142.250.178.14:443 clients2.google.com tcp
US 8.8.8.8:53 161.10.190.188.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
GB 142.250.187.238:443 consent.youtube.com udp
DE 95.179.250.45:26212 tcp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.187.206:443 play.google.com tcp
US 8.8.8.8:53 206.187.250.142.in-addr.arpa udp
GB 142.250.187.238:443 consent.youtube.com udp
DE 95.179.250.45:26212 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 beacons.gcp.gvt2.com udp
GB 216.58.213.3:443 beacons.gcp.gvt2.com tcp
US 8.8.8.8:53 beacons2.gvt2.com udp
IT 216.58.205.35:443 beacons2.gvt2.com tcp
US 8.8.8.8:53 3.213.58.216.in-addr.arpa udp
IT 216.58.205.35:443 beacons2.gvt2.com udp
US 8.8.8.8:53 35.205.58.216.in-addr.arpa udp
DE 95.179.250.45:26212 tcp
HK 47.238.55.14:4444 tcp
US 8.8.8.8:53 14.55.238.47.in-addr.arpa udp
HK 47.238.55.14:4444 tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
GB 142.250.179.238:443 www.youtube.com tcp
GB 142.250.200.14:443 www.youtube.com udp
GB 142.250.187.238:443 consent.youtube.com udp
GB 142.250.187.238:443 consent.youtube.com tcp
US 8.8.8.8:53 14.200.250.142.in-addr.arpa udp
GB 142.250.178.14:443 clients2.google.com udp
RU 152.89.198.214:53 csdcsuc.net udp
CH 185.196.8.214:80 csdcsuc.net tcp
US 8.8.8.8:53 214.198.89.152.in-addr.arpa udp
DE 95.179.250.45:26212 tcp
CH 185.196.8.214:80 csdcsuc.net tcp
CH 185.196.8.214:80 csdcsuc.net tcp

Files

memory/4936-0-0x00000000000D0000-0x00000000005A5000-memory.dmp

memory/4936-1-0x0000000077574000-0x0000000077576000-memory.dmp

memory/4936-2-0x00000000000D1000-0x00000000000FF000-memory.dmp

memory/4936-3-0x00000000000D0000-0x00000000005A5000-memory.dmp

memory/4936-4-0x00000000000D0000-0x00000000005A5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

MD5 8bd20ee350a72cee7fbf9228e2827c21
SHA1 e7d79089911c45a5ba54b026409e43211a469469
SHA256 1d51503c34d63c3df4687f630c252b7a0a9cb194f42a7af8cf3b9c8c51642f37
SHA512 768e0488e8922ca1a6c4df3a44bb7766a91bb82b4de3cf83054e81ec228399c8fd978880084cd7fc4d3d5f3a4c6f3c6575e997c05bd01e06dfdba045e2e6b2cd

memory/4936-15-0x00000000000D0000-0x00000000005A5000-memory.dmp

memory/4428-17-0x0000000000940000-0x0000000000E15000-memory.dmp

memory/4428-18-0x0000000000941000-0x000000000096F000-memory.dmp

memory/4428-19-0x0000000000940000-0x0000000000E15000-memory.dmp

memory/4428-21-0x0000000000940000-0x0000000000E15000-memory.dmp

memory/4428-20-0x0000000000940000-0x0000000000E15000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe

MD5 389881b424cf4d7ec66de13f01c7232a
SHA1 d3bc5a793c1b8910e1ecc762b69b3866e4c5ba78
SHA256 9d1211b3869ca43840b7da1677b257ad37521aab47719c6fcfe343121760b746
SHA512 2b9517d5d9d972e8754a08863a29e3d3e3cfde58e20d433c85546c2298aad50ac8b069cafd5abb3c86e24263d662c6e1ea23c0745a2668dfd215ddbdfbd1ab96

memory/2040-40-0x000000007318E000-0x000000007318F000-memory.dmp

memory/2040-41-0x0000000000170000-0x00000000001C4000-memory.dmp

memory/4612-44-0x0000000000400000-0x0000000000452000-memory.dmp

memory/4612-47-0x0000000005320000-0x00000000058C4000-memory.dmp

memory/4612-48-0x0000000004E70000-0x0000000004F02000-memory.dmp

memory/4612-49-0x0000000005040000-0x000000000504A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000004001\12dsvc.exe

MD5 84263ab03b0a0f2b51cc11b93ec49c9f
SHA1 e6457eb0e0131bec70a2fd4d4a943314f0bd28d4
SHA256 7d6e4e01c452dd502361640ee095e2bee35e3f55fd11edc9e94c3580d2c132b5
SHA512 db35a02345b5166077e300524675c523a8b4082fa62fc151c0797141348cae5e173eeaec5ad1e95556e048ea6ed34a78b90b1184420557c53cd91f351417ebb2

C:\Users\Admin\AppData\Local\Temp\TmpD5AF.tmp

MD5 1420d30f964eac2c85b2ccfe968eebce
SHA1 bdf9a6876578a3e38079c4f8cf5d6c79687ad750
SHA256 f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9
SHA512 6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

memory/4612-83-0x0000000005CD0000-0x0000000005D46000-memory.dmp

memory/2092-85-0x00000000000E0000-0x00000000001C2000-memory.dmp

memory/4612-86-0x00000000064C0000-0x00000000064DE000-memory.dmp

memory/4612-89-0x0000000006E50000-0x0000000007468000-memory.dmp

memory/4612-90-0x00000000086D0000-0x00000000087DA000-memory.dmp

memory/4612-91-0x0000000006D50000-0x0000000006D62000-memory.dmp

memory/4612-92-0x0000000006DB0000-0x0000000006DEC000-memory.dmp

memory/4612-93-0x0000000006DF0000-0x0000000006E3C000-memory.dmp

memory/1724-95-0x0000000000400000-0x00000000004DE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe

MD5 f5d7b79ee6b6da6b50e536030bcc3b59
SHA1 751b555a8eede96d55395290f60adc43b28ba5e2
SHA256 2f1aff28961ba0ce85ea0e35b8936bc387f84f459a4a1d63d964ce79e34b8459
SHA512 532b17cd2a6ac5172b1ddba1e63edd51ab53a4527204415241e3a78e8ffeb9728071bde5ae1eefabefd2627f00963f8a5458668cd7b8df041c8683252ff56b46

memory/1724-108-0x0000000000400000-0x00000000004DE000-memory.dmp

memory/1724-107-0x0000000000400000-0x00000000004DE000-memory.dmp

memory/1724-105-0x0000000000400000-0x00000000004DE000-memory.dmp

C:\Users\Admin\AppData\Roaming\hTeItleYKL.exe

MD5 a3ef9920a91b891837705e46bb26de17
SHA1 9cfbcd0f46ec86fb57d3d6d74a064f9098adf117
SHA256 171cef885f6c285e995ce3ec5960c5ea4e4ed049cec362745058fee39e4136cc
SHA512 c65e91091b95c3aba0af7df4ed6543d26bcb5b54d6fab82f9d2ac1ba156f475f98124a1a0e8851d69be23b1dc945c76c075cd32515203273260802e1224dbd6e

C:\Users\Admin\AppData\Roaming\rXPieE3Lxl.exe

MD5 4e60f3fd76d9eab244f9dc00f7765b0b
SHA1 1a154d6e837e7105c551793131cde89f157c4330
SHA256 d6945846cc23c01b9c9ad2b97d35b5a14c01f1a4cc2ec651a596f06777ba4fec
SHA512 44727e25781f448579ac35aab94aff550ed9fe5ac58d95bd394569c62892dc78216ac687baa43cef66187ebe629f5dd9cd63ea274222d11dbef3440ec4d7f77a

memory/1724-135-0x0000000000400000-0x00000000004DE000-memory.dmp

memory/2688-137-0x0000000000520000-0x0000000000572000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-945322488-2060912225-3527527000-1000\76b53b3ec448f7ccdda2063b15d2bfc3_03d68389-5a68-4d9e-92ac-47b927e624dd

MD5 f30f6b2b6b496b5043601f9a8118a14a
SHA1 33e9d22428df785948be37e64ad354c872e1ae81
SHA256 8182e62561012522a7aa8063d5e82ad25b6fb5a0a9eaf2ae99b41f2a9fe12463
SHA512 cbcab9e98e0c6db9f810e05d34bc987594743b5bbd0bddfb0fd0afcba183f25baa16fe518c2e93288e04d945b74daa7908f58696c79bc2ebf3f7d7554ab55b06

C:\Users\Public\Desktop\Google Chrome.lnk

MD5 353e9e2fa47d7a9c14a35cceac0360b3
SHA1 18c41db29a4c28597f096ba252868cb57186eff1
SHA256 a402c8dac3b12da5d655c7b3dcd6483fa998dc33fb49c8fcf8ec0d63fc4bacbf
SHA512 60a044bcdff9cdaf3ac7011e5ca6eca8ce4657db73a1d428008ea153f890e679dce2474917666290764545effb6215b4f4a836304c03ebf1e32da354b685c7ed

C:\Users\Admin\Desktop\Microsoft Edge.lnk

MD5 df35b1229e045b7cfd9b9576c7af6a0a
SHA1 4d685fce7540a4ec10853b20987ca8831e5f184b
SHA256 8168f2470bb7a27e3a09aaa7e8748b2150e4e96a76f6017214c8392d907ce2bc
SHA512 8b8ebc2f658180edec34e20337491bd60829832110d1be28e08544afa2707b8b064933ac8662f524b88b4e0c79776df526e44a786ccc04388271ba9013c1dc55

C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe

MD5 7a02aa17200aeac25a375f290a4b4c95
SHA1 7cc94ca64268a9a9451fb6b682be42374afc22fd
SHA256 836799fd760eba25e15a55c75c50b977945c557065a708317e00f2c8f965339e
SHA512 f6ebfe7e087aa354722cea3fddd99b1883a862fb92bb5a5a86782ea846a1bff022ab7db4397930bcabaa05cb3d817de3a89331d41a565bc1da737f2c5e3720b6

memory/1544-184-0x0000000000AF0000-0x0000000000D33000-memory.dmp

memory/4428-185-0x0000000000940000-0x0000000000E15000-memory.dmp

memory/4428-186-0x0000000000940000-0x0000000000E15000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000065001\stories.exe

MD5 70c097a1f88fe8dbd34ee098f80d68b2
SHA1 aa1d64d8b4f25cc6cadc413903d11837ba1fd586
SHA256 3ec528934f091def5518ec3b7731e5e113f1d8bc3c75be591e43280226c0cb40
SHA512 5a0c5312642532b886d3904798428e134acc2a8d43f77ee08621bdbfab4fb32ba2354c48552b584f81b3187264d002dd0d5904f4615725168e6069b52ceca777

memory/3748-205-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1544-207-0x0000000061E00000-0x0000000061EF3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-RL1AA.tmp\stories.tmp

MD5 f24984c218db4c7aee2f86434dac013b
SHA1 2094cf56e8200cbfe2d5ee99cac4c26becd3bff3
SHA256 1ed6814fb35c5769468452c22fa920807add3a70c67ecc9bee77bfcd48f33fb0
SHA512 bd613ab2058819ad08e984c28528dc39c5a55a3d57333a52d47066d0a0d1be4707364eda597099191c2947c126a25afb27cc5db249a529a61f3624f737291b16

C:\Users\Admin\AppData\Local\Temp\is-K6U0G.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

C:\Users\Admin\AppData\Local\Temp\is-K6U0G.tmp\_isetup\_isdecmp.dll

MD5 a813d18268affd4763dde940246dc7e5
SHA1 c7366e1fd925c17cc6068001bd38eaef5b42852f
SHA256 e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64
SHA512 b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

memory/4428-245-0x0000000000940000-0x0000000000E15000-memory.dmp

C:\Users\Admin\AppData\Local\Fido Video Recorder\gerdaplay3se.exe

MD5 508efa4023d49e99fe21de76ee7b8a07
SHA1 16fba7f6070150406404c71f75203a406dbf18c8
SHA256 6640ff66658230cec37c8cec4d3b3ab6e42cbc3dda2cda05b76393a98f50fc2d
SHA512 691c4ed723569f9af7bf1f8013b588ef179d6a8d4f78e78aa19e27609100696c53bd54ae292283692cba238fc7fc3ab0a2326c82ff35eaf4a23dc5c55d99d3db

memory/756-277-0x0000000000400000-0x0000000000720000-memory.dmp

memory/756-280-0x0000000000400000-0x0000000000720000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000191001\needmoney.exe

MD5 7fa5c660d124162c405984d14042506f
SHA1 69f0dff06ff1911b97a2a0aa4ca9046b722c6b2f
SHA256 fd3edfaff77dd969e3e0d086495e4c742d00e111df9f935ed61dfba8392584b2
SHA512 d50848adbfe75f509414acc97096dad191ae4cef54752bdddcb227ffc0f59bfd2770561e7b3c2a14f4a1423215f05847206ad5c242c7fd5b0655edf513b22f6c

memory/4428-293-0x0000000000940000-0x0000000000E15000-memory.dmp

memory/2688-309-0x00000000069E0000-0x0000000006A46000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000254001\penis.exe

MD5 a21700718c70ec5e787ad373cb72a757
SHA1 027554ab5ff3245e7617f3b83d6548bf7919f92e
SHA256 87e639ecc7704cb5e29f1ebb1d8ade3ae863aaa2505a37b28f2d45121da500c6
SHA512 ea292a5442d9fe536e650a2bc5142dd3aef79c66930243897e0e87c57915f0a54e45e03e58daffb473f85fe10b963d4670050bff5ab3f91121d21d463e25659b

memory/832-330-0x00000000005C0000-0x000000000062C000-memory.dmp

C:\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

C:\Users\Admin\AppData\Local\Temp\1000290001\crypted.exe

MD5 ff5afed0a8b802d74af1c1422c720446
SHA1 7135acfa641a873cb0c4c37afc49266bfeec91d8
SHA256 17ac37b4946539fa7fa68b12bd80946d340497a7971802b5848830ad99ea1e10
SHA512 11724d26e11b3146e0fc947c06c59c004c015de0afea24ec28a4eb8145fcd51e9b70007e17621c83f406d9aeb7cd96601245671d41c3fcc88a27c33bd7cf55ac

memory/3160-373-0x0000000000FA0000-0x0000000000FF4000-memory.dmp

memory/212-375-0x0000000000400000-0x0000000000452000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000314001\LummaC222222.exe

MD5 2f1d09f64218fffe7243a8b44345b27e
SHA1 72553e1b3a759c17f54e7b568f39b3f8f1b1cdbe
SHA256 4a553c39728410eb0ebd5e530fc47ef1bdf4b11848a69889e8301974fc26cde2
SHA512 5871e2925ca8375f3c3ce368c05eb67796e1fbec80649d3cc9c39b57ee33f46476d38d3ea8335e2f5518c79f27411a568209f9f6ef38a56650c7436bbaa3f909

memory/4816-414-0x0000000000400000-0x0000000000643000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\svchost015.exe

MD5 b826dd92d78ea2526e465a34324ebeea
SHA1 bf8a0093acfd2eb93c102e1a5745fb080575372e
SHA256 7824b50acdd144764dac7445a4067b35cf0fef619e451045ab6c1f54f5653a5b
SHA512 1ac4b731b9b31cabf3b1c43aee37206aee5326c8e786abe2ab38e031633b778f97f2d6545cf745c3066f3bd47b7aaf2ded2f9955475428100eaf271dd9aeef17

memory/4816-417-0x0000000000400000-0x0000000000643000-memory.dmp

memory/1724-420-0x0000000000400000-0x000000000081B000-memory.dmp

memory/2688-419-0x0000000007560000-0x00000000075B0000-memory.dmp

memory/4816-418-0x0000000000400000-0x0000000000643000-memory.dmp

memory/2688-421-0x0000000007980000-0x0000000007B42000-memory.dmp

memory/2688-422-0x0000000008080000-0x00000000085AC000-memory.dmp

memory/1544-423-0x0000000000AF0000-0x0000000000D33000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000322001\newbundle2.exe

MD5 58e8b2eb19704c5a59350d4ff92e5ab6
SHA1 171fc96dda05e7d275ec42840746258217d9caf0
SHA256 07d4b7768e13d79ac5f05f81167b29bb6fbf97828a289d8d11eec38939846834
SHA512 e7655762c5f2d10ec246d11f82d437a2717ad05be847b5e0fd055e3241caaca85430f424055b343e3a44c90d76a0ba07a6913c2208f374f59b61f8aa4477889f

memory/4404-442-0x00000000008E0000-0x0000000000932000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000342001\rstxdhuj.exe

MD5 1ef39c8bc5799aa381fe093a1f2d532a
SHA1 57eabb02a7c43c9682988227dd470734cc75edb2
SHA256 0cced5b50789fca3ad4b2c151b798363d712da04c377bd704dcef4898e66b2b4
SHA512 13a9c267c4ceb2bd176f1339faa035ffeb08936deeeb4e38252ea43cfe487ea1c1876e4cc2a965548e767af02805a1da62885e6538da056be0c6fae33b637682

memory/1572-484-0x00000000003C0000-0x00000000004B8000-memory.dmp

memory/1572-485-0x0000000005040000-0x000000000512E000-memory.dmp

memory/1572-489-0x0000000005040000-0x0000000005128000-memory.dmp

memory/1572-521-0x0000000005040000-0x0000000005128000-memory.dmp

memory/1572-520-0x0000000005040000-0x0000000005128000-memory.dmp

memory/1572-517-0x0000000005040000-0x0000000005128000-memory.dmp

memory/1572-515-0x0000000005040000-0x0000000005128000-memory.dmp

memory/1572-511-0x0000000005040000-0x0000000005128000-memory.dmp

memory/1572-509-0x0000000005040000-0x0000000005128000-memory.dmp

memory/1572-507-0x0000000005040000-0x0000000005128000-memory.dmp

memory/1572-505-0x0000000005040000-0x0000000005128000-memory.dmp

memory/1572-501-0x0000000005040000-0x0000000005128000-memory.dmp

memory/1572-499-0x0000000005040000-0x0000000005128000-memory.dmp

memory/1572-497-0x0000000005040000-0x0000000005128000-memory.dmp

memory/1572-495-0x0000000005040000-0x0000000005128000-memory.dmp

memory/1572-493-0x0000000005040000-0x0000000005128000-memory.dmp

memory/1572-491-0x0000000005040000-0x0000000005128000-memory.dmp

memory/1572-487-0x0000000005040000-0x0000000005128000-memory.dmp

memory/1572-486-0x0000000005040000-0x0000000005128000-memory.dmp

memory/1572-513-0x0000000005040000-0x0000000005128000-memory.dmp

memory/1572-503-0x0000000005040000-0x0000000005128000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000349001\cccc2.exe

MD5 6b470f7251aa9c14d7daea8f6446e217
SHA1 a256c54d4dd7e0a7a1582d8fdfef5807bc3c4af4
SHA256 8b9097b795d42c49c3b2c560714226361671a3f1d711faa9aeaee20e22e7095f
SHA512 fdc553c9d2ff19343dd99b0b34c875752df4fa0cbd494096aeb51d859bd102448f1a5043a53a808045ae52077f180546a134b1aa69db4dc04aff2610fadeaca4

memory/1572-1580-0x0000000005870000-0x00000000058BC000-memory.dmp

memory/1572-1579-0x00000000057C0000-0x0000000005828000-memory.dmp

memory/1572-1588-0x0000000005940000-0x0000000005994000-memory.dmp

memory/5036-1591-0x00000000003E0000-0x0000000000440000-memory.dmp

memory/5972-1593-0x0000000000500000-0x000000000052E000-memory.dmp

memory/5972-1594-0x0000000004960000-0x00000000049FC000-memory.dmp

memory/4816-1598-0x0000000000400000-0x0000000000643000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000354001\78239afd70.exe

MD5 db555e4fdc380e9e8a19fcc609f7d1aa
SHA1 be66e90a5d5ce54f1a90bd59a3b4723e1a53d89c
SHA256 c1cd69890f1f81efd491b94bfff2d9e1263f4a843fc42b649aac082cf378f3a8
SHA512 6c48434a9457204b2beaf6cbb6a3668af343a42e82d289acdb6bdf8c05f53fa518ba0b150a5afe45426c19d81b7d0deab42d08228b1d20ead7b213335cdec8db

memory/1804-1616-0x0000000000E50000-0x00000000014EC000-memory.dmp

memory/1804-1624-0x0000000000E50000-0x00000000014EC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000355001\3e3f5d198d.exe

MD5 0fc09656aa3f642c56e40297326df58d
SHA1 e380ac49608735e0cf627a1d662088a360a4f3c9
SHA256 f053f59098a67146b4a067d1decc7a78e23e751cb15355cd953e4b2b307d2e13
SHA512 a6eed1d5512fa724081079dacf70bbc304b078f68d35877da1eb9d5ded820c0948623830628146a7c021bc54c35e1390c0ba349492d6e1cf0fc909f48aef0398

memory/2992-1634-0x0000000003080000-0x00000000030B6000-memory.dmp

memory/2992-1639-0x0000000005B90000-0x00000000061B8000-memory.dmp

memory/4516-1643-0x0000000000FE0000-0x000000000149F000-memory.dmp

memory/2992-1653-0x0000000006490000-0x00000000064B2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_iru1ukno.3ki.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2992-1654-0x0000000006530000-0x0000000006596000-memory.dmp

memory/2992-1655-0x00000000065A0000-0x00000000068F4000-memory.dmp

memory/2992-1656-0x0000000006960000-0x000000000697E000-memory.dmp

memory/4516-1669-0x0000000000FE0000-0x000000000149F000-memory.dmp

memory/4788-1670-0x0000000000E90000-0x000000000134F000-memory.dmp

memory/2992-1672-0x000000006C840000-0x000000006C88C000-memory.dmp

memory/2992-1671-0x0000000006F40000-0x0000000006F72000-memory.dmp

memory/2992-1682-0x0000000006F20000-0x0000000006F3E000-memory.dmp

memory/2992-1683-0x0000000007B40000-0x0000000007BE3000-memory.dmp

memory/2992-1684-0x00000000082E0000-0x000000000895A000-memory.dmp

memory/2992-1685-0x0000000007CA0000-0x0000000007CBA000-memory.dmp

memory/2992-1686-0x0000000007D10000-0x0000000007D1A000-memory.dmp

memory/2992-1687-0x0000000007F20000-0x0000000007FB6000-memory.dmp

memory/2992-1688-0x0000000007EA0000-0x0000000007EB1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000356001\neon.exe

MD5 b3fd0e1003b1cd38402b6d32829f6135
SHA1 c9cedd6322fb83457f56b64b4624b07e2786f702
SHA256 e4a36be98f730d706d2ca97a5d687329a1cc7d4848daf698b7e21b6b9b577f31
SHA512 04692e0f80a75f78b533677cefe3db6607108abf19963d88e231925cfa13f1ec054811aebe53c82d238e732a999cd8d176107d50cf2ea5694d4177cbfd3b30f1

memory/2396-1707-0x0000000000390000-0x000000000070C000-memory.dmp

memory/2992-1708-0x0000000007ED0000-0x0000000007EDE000-memory.dmp

memory/2992-1710-0x0000000007EE0000-0x0000000007EF4000-memory.dmp

memory/2396-1711-0x0000000023EE0000-0x0000000023F7E000-memory.dmp

memory/2992-1712-0x0000000007FE0000-0x0000000007FFA000-memory.dmp

memory/2992-1713-0x0000000007FC0000-0x0000000007FC8000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 3d086a433708053f9bf9523e1d87a4e8
SHA1 b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA256 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

memory/5488-1726-0x0000000005760000-0x0000000005AB4000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 23dc801a88ebd165a83c5f239a512b52
SHA1 8d65d3bbe517716b2de16896f60b1c6203883c64
SHA256 edcecd7b5d68cb596bdcdd4ced4ff4f4a1678693947d5c7496b4d2d24b764ed3
SHA512 24bcb0ca2c1a7e0375cbc81d237ef17a97f489d078dca8d7be1f90d31bc119352face9b7f5a80af51758e2df1826f66af8ba786d970d2554b562722be8750246

memory/5488-1737-0x000000006C840000-0x000000006C88C000-memory.dmp

memory/5488-1749-0x0000000006E60000-0x0000000006F03000-memory.dmp

memory/1176-1757-0x0000000000F80000-0x000000000161C000-memory.dmp

memory/5488-1758-0x00000000071A0000-0x00000000071B1000-memory.dmp

memory/5488-1759-0x00000000071E0000-0x00000000071F4000-memory.dmp

memory/1176-1762-0x0000000000F80000-0x000000000161C000-memory.dmp

memory/5732-1777-0x0000000000140000-0x00000000007DC000-memory.dmp

memory/5732-1779-0x0000000000140000-0x00000000007DC000-memory.dmp

memory/4788-1780-0x0000000000E90000-0x000000000134F000-memory.dmp

memory/5280-1781-0x0000000000E90000-0x000000000134F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000028001\e8e97a2a56.exe

MD5 cf2cd80a393670f0241c8c3740ac1ff2
SHA1 5b964539130e93ea7ec8a36e0c08a0da84624ce9
SHA256 64c99465ec6ccad13433eb32c6069b3f636efa881f027015d518576aa2bc6b31
SHA512 870562c47963165ef45c947a78d62ab34356ed288b45efc7b2c82ad10cfe3c7791b3bba4827274b371019a4e3146add2c699553013a90c613d23ae76528bf4d8

memory/5280-1800-0x0000000000E90000-0x000000000134F000-memory.dmp

memory/1944-1802-0x0000000000940000-0x0000000000E15000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

memory/2396-1889-0x00000000261D0000-0x00000000261EA000-memory.dmp

memory/2396-1890-0x00000000261F0000-0x00000000261F6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000029001\d20bc07819.exe

MD5 fc16f8c6b738fbb7d1a03848329360ea
SHA1 27260a586b8511d4375f086210bd751b79e50b1b
SHA256 40e3298b5e6b98f8b52a2af928463a543e7f0a6dca869565e8ac8ad867f3ce61
SHA512 55dccd477a2f35743fddc72fdae8a7c30cfca356ff00857604152afc9d9be4856aa822321b8e822131f7d4e3e9ff9e67020f63e712601f33201c86faf876fd6d

memory/3208-1904-0x0000000000560000-0x0000000000A09000-memory.dmp

memory/3208-1906-0x0000000000560000-0x0000000000A09000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

MD5 0814d61152c94ab99db7c5d3c1d30fa6
SHA1 0449deaebb95deead31575b41e64653ee973da5e
SHA256 504bd188ef934664bf60655476e0109d1b2f4e99b4cb899c36c633a2f4c4c33d
SHA512 d2bb4699ad74bdcd6b8ccc41c26c5da041d80f13cd1e6a117b77d64a5192d9a69ff6f75c32ec2aea979cbc3497671c6e09d5a2fd8d0b8a1a22f58d27dc9165d5

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 2a43f327a5880aae47869c076345f768
SHA1 7f9c397879c6336780d984a7f6dc65ac4377d950
SHA256 232ee3dc789f175cff6fdedab0950c15599fc0b3b7b96070ead652a9e661e535
SHA512 c45fd7f38b37d6a71c85368e68e4560ea8da324c8de7846e6ad3dee3d8db77913722c55933c6e4bc7810123e2d9ab452d5c7ef6e2c9a3fbf03f3ad34f8b88c10

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 4cd61a1974f2ae9c5aef5e06d28405f8
SHA1 6661f04edb669ca1e2c780e6e87796729ba0e7ea
SHA256 b1a2caf48345b665d3c75cbaf49e5e085d28d3f95e1c83d82073faad8fe9013a
SHA512 de66f9c27cf724516d4944f81fbe7d9a2fabb35855ddee99a567d5a29470759288b3765c92e1325a7b00eb8aa64b94b6c256d2f05e8f226aaddefe467cfd81c5

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 4da397064ceff6b1bcdb006624d668bc
SHA1 3988a9c683ff7c81e989317112f86eef812198d0
SHA256 40b8d3d943758e6624da0c4e6dc78c9a82a511922c9bfb62ad44cb2088f3f9de
SHA512 a2c6d0801d7d417490227075f45df1a11dbbf97c9b452bb5568617bbe43d66d8c99dcf2c7bad38bd1330924522748ceced69b664ebc8350a5cf99c98b6ab6519

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

MD5 6a1fb8f29fa1ac4d875da1cc0bcb6b82
SHA1 b03dd48aafbb2828c61cf7afc77cb7318883c0dd
SHA256 17c71590d27f35940e365ca3e19c1be6752cc77a3b17b754c1b7ad1a4b4ca303
SHA512 c145d4ae53318f44f89cc6aebe3fe371d4ed933571d2565f55fbb37a5e9d419f60565d265cb0c2edd1b974e29f191b4348424f3b9e12bbec6a6247098a1af8fb

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 ff6b433a8ae1bd409cd4fcb81bed0228
SHA1 980d49bbbe3c127f9299ff09e0a41a9d0e5b00c9
SHA256 3ff4f769fde92e788f8860b99acdf057563ab2113f5c2066fad6fd89ac20f3ab
SHA512 2d7c2458678606405230ba569a59fe83ab5a38e45e758a33176c93e3d2df630ef51d8cca5969d870960f787417f82f00b55131fd3e5f12c0f5df1a326d8c4661

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 1b9d1dd7ea85afa3148797f319211721
SHA1 2ac9835342784f9a353c6f024633b59c36ba808d
SHA256 ce02f56f504c456774e5822ec17dfb19ae81b3f886b6ba265f4877c869d302ed
SHA512 8ec2bec708caefd59dba109c9d3b63fa9915a34a767bfff2eefc4538c463fea59c1a2ee29578938298212098e9cbf7239835264bd1349e98c6970e7f8bc175ec

C:\Users\Admin\AppData\Local\Temp\neon.exe

MD5 0e362e7005823d0bec3719b902ed6d62
SHA1 590d860b909804349e0cdc2f1662b37bd62f7463
SHA256 2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad
SHA512 518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

memory/5440-2112-0x0000000000D80000-0x0000000000D9A000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 4af25863088856ba8e8c3280039e4a7a
SHA1 d7c01d99dd5d41669171076628cf9caf619b2746
SHA256 54033cb99184d5965f128477aa78e39aba4f011a1e89e6a511f1166875737d40
SHA512 176b8d47336720dfc56b78e79695aea912c16293cb7cff481d5afe99b7f49ab77ae22208ec3258edc607326d8092c841e988640fbfc47bd0b35704cd932c7455

memory/756-2202-0x0000000000400000-0x0000000000720000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 1cdcef977b9c360d6c6063b16097c0a4
SHA1 804b4229475062f637b9a7e878ae5d8e06672142
SHA256 420474bf9bbfe71d375c6d2ac06f982159e82626afc2ad6ce2e1f502817e4090
SHA512 fbe44d9bf00ad150d2f17979d57389d84a3ffe169267e817758002cade2f8fb9af5c2f07616383ef126362e60e4c3c0245587dedb9e3e1313518a1e3b9b82d8a

memory/4724-2278-0x0000000000E90000-0x000000000134F000-memory.dmp

memory/5076-2280-0x0000000000940000-0x0000000000E15000-memory.dmp

memory/4724-2282-0x0000000000E90000-0x000000000134F000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 260913e2fd8edc707155b5bc900b6e2b
SHA1 b54f21a3bb33b45a19d792db6ace9d5d1a05b125
SHA256 1f561f3394abc1da09755e2c281226dddcdc69b3ba32149d11f1113ec4abca28
SHA512 e325ed5769be9600750b409aaadacdd13488157015a6d97ad552f09ec853f3e9781df1a2ee8fe52e56f6f5eb962d3625875a482faf3639787f167a08c56f583a

memory/1500-2432-0x0000000040000000-0x0000000040030000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

MD5 2c76afc5a2c5731743f37706c1fc87cf
SHA1 7e9b3c33b0e65d011882eae9d8224a3f2e30f7f6
SHA256 77fc781aa22f91c1beb606634a96088bfbbda95c1c2f08b679c281f2ffbb2dd6
SHA512 6cc81e2569857200dcd7f7c161536e9dd1fff4c9fb993fdc58c7f86b79b064713001de5d6af01136b4666439ce16532626559734549150408c8c101601ed8683

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 eb1baff1d37eaaee218adb2672792a54
SHA1 939de7b6b47b9a63de7a9886e383de8a9fc94ab6
SHA256 3bd372e585cb00d911f4c7a3b62cc292a512c99d21ca3df3352ffe10fcca4e25
SHA512 0e07fbf9b45dc212fa0caf9026f7f2bb0e0a8d8b8de164c50a576111b982322341a88f73b3dac06c85812715b047909459349ea170c74d9fd46f50e52ae72ef0

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 eeb06060c20aaf772a2ac026ea355df1
SHA1 ce858b2f03ac1018d7a15ce469422ece91c5809b
SHA256 db4d1eb176f1aa63397b10153d724e488bb187f7a30db8f5c64580c867b8ece2
SHA512 746612eb67df55271ea2ea4fad31016b4d3afe8a1ead8844e09e67e4c61262e783c9f47bad594aff219df47a4407d6c447c1b14f08c47ce30b17f8a26b518bcd

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 390561dde4dd95e4827ebeddd01c15a7
SHA1 b771a86bc6d4a3b859338525be53384ed5a4e72b
SHA256 f8174e37cad5b7562add24eace76d62a5608bb1c7cca946901eed9f209b0941a
SHA512 2f4b68a195a10070f25f5616b016b955213655ed0e4ccbbcc21e4bae154ed6ed7b0803b6a74f7cbb2c5e04e619564c83a41999341853b095e5571e8eaa981194

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 7bae169c3c013a3349b341b8b1e76f88
SHA1 ee851d6e1d9a1fb5f8771ef080bf88f506c4630c
SHA256 69d1d51d0db6fe073b0f41f1029a2801f9a655b42ab4fa42738ab0fa013486c1
SHA512 cdf3a90d7b252c71c91a1caa70740efafff63f92a390ac46aa19a5b8ad0fb7d8c81c50c30a19c48d6a621d4270c562f136d2105f03ca079c96a434316d41a9b6

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 7f0f0fbf174167b5a20a1d9cab1200f6
SHA1 6e6c2351d82dfdb82d6c32f8fb9f248f2e8222ec
SHA256 a2d8e71de2a69e9a6d1162d3a4d863cf00b9a49a384310105dc5d869f894a96c
SHA512 bbfa59c494f659bdee8e26896fd32c09d68c1d103b91bcade821fbd04b9005d092daea99bd7099212ce6d28787e26568702c8eca605d232a0ed97e7f345848cd