Malware Analysis Report

2024-10-18 23:35

Sample ID 240927-jm45vssckp
Target file.exe
SHA256 99bc61afdb7382ac8d7f9da3bb87ca552fe8596ded65bf39a81d2f7839bbc3d6
Tags
amadey lumma redline stealc 9c9aa5 @logscloudyt_bot default default2 fed3aa livetraffic newbundle2 save tg cloud @rlreborn admin @fatherofcarders credential_access discovery evasion infostealer persistence spyware stealer trojan asyncrat xworm collection execution rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

99bc61afdb7382ac8d7f9da3bb87ca552fe8596ded65bf39a81d2f7839bbc3d6

Threat Level: Known bad

The file file.exe was found to be: Known bad.

Malicious Activity Summary

amadey lumma redline stealc 9c9aa5 @logscloudyt_bot default default2 fed3aa livetraffic newbundle2 save tg cloud @rlreborn admin @fatherofcarders credential_access discovery evasion infostealer persistence spyware stealer trojan asyncrat xworm collection execution rat

RedLine payload

Suspicious use of NtCreateUserProcessOtherParentProcess

Amadey

Stealc

AsyncRat

Xworm

Lumma Stealer, LummaC

Detect Xworm Payload

RedLine

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Command and Scripting Interpreter: PowerShell

Checks BIOS information in registry

Reads user/profile data of web browsers

Loads dropped DLL

Executes dropped EXE

Unexpected DNS network traffic destination

Reads data files stored by FTP clients

Identifies Wine through registry keys

Checks computer location settings

Unsecured Credentials: Credentials In Files

Looks up external IP address via web service

Accesses cryptocurrency files/wallets, possible credential harvesting

Accesses Microsoft Outlook profiles

Checks installed software on the system

Adds Run key to start application

AutoIT Executable

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Unsigned PE

Browser Information Discovery

System Location Discovery: System Language Discovery

Enumerates physical storage devices

System Network Configuration Discovery: Internet Connection Discovery

Program crash

Checks processor information in registry

Enumerates system info in registry

outlook_office_path

Modifies system certificate store

Suspicious behavior: GetForegroundWindowSpam

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: AddClipboardFormatListener

outlook_win_path

Suspicious use of WriteProcessMemory

Suspicious use of SendNotifyMessage

Runs ping.exe

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-27 07:48

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-27 07:48

Reported

2024-09-27 07:50

Platform

win7-20240729-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Signatures

Amadey

trojan amadey

Lumma Stealer, LummaC

stealer lumma

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Stealc

stealer stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1000354001\1ee85a88af.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1000355001\71fcc0fef8.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1000023001\ecad5f0362.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\1000026002\3cb397bd16.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1000029001\8e06e7d8ce.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1000354001\1ee85a88af.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1000355001\71fcc0fef8.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\1000026002\3cb397bd16.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1000029001\8e06e7d8ce.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1000023001\ecad5f0362.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\1000026002\3cb397bd16.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1000029001\8e06e7d8ce.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1000023001\ecad5f0362.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1000354001\1ee85a88af.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1000355001\71fcc0fef8.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000004001\12dsvc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\78YtPQ2rBj.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\ZAtfFWRPhy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000191001\needmoney.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000254001\penis.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost015.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000290001\crypted.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000314001\LummaC222222.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000322001\newbundle2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000342001\rstxdhuj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000349001\cccc2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000354001\1ee85a88af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000355001\71fcc0fef8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000356001\neon.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000023001\ecad5f0362.exe N/A
N/A N/A C:\Users\Admin\1000026002\3cb397bd16.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\c936348145.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000029001\8e06e7d8ce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\neon.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\neon.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1000029001\8e06e7d8ce.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1000354001\1ee85a88af.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1000355001\71fcc0fef8.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1000023001\ecad5f0362.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Wine C:\Users\Admin\1000026002\3cb397bd16.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000191001\needmoney.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000355001\71fcc0fef8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\neon.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Unsecured Credentials: Credentials In Files

credential_access stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\ecad5f0362.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000023001\\ecad5f0362.exe" C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\3cb397bd16.exe = "C:\\Users\\Admin\\1000026002\\3cb397bd16.exe" C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\c936348145.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000028001\\c936348145.exe" C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\neon = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\neon.exe" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ylrdnrwcx = "C:\\Users\\Admin\\AppData\\Roaming\\Ylrdnrwcx.exe" C:\Users\Admin\AppData\Local\Temp\1000342001\rstxdhuj.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\1ee85a88af.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000354001\\1ee85a88af.exe" C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\71fcc0fef8.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000355001\\71fcc0fef8.exe" C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A

Checks installed software on the system

discovery

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\axplong.job C:\Users\Admin\AppData\Local\Temp\file.exe N/A
File created C:\Windows\Tasks\Hkbsse.job C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe N/A
File created C:\Windows\Tasks\skotes.job C:\Users\Admin\AppData\Local\Temp\1000355001\71fcc0fef8.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000254001\penis.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000342001\rstxdhuj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\1000026002\3cb397bd16.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000028001\c936348145.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\78YtPQ2rBj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\ZAtfFWRPhy.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\svchost015.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000349001\cccc2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000355001\71fcc0fef8.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\neon.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000004001\12dsvc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\neon.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000191001\needmoney.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000290001\crypted.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000322001\newbundle2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000354001\1ee85a88af.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000023001\ecad5f0362.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000314001\LummaC222222.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\system32\PING.EXE N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 190000000100000010000000dbd91ea86008fd8536f2b37529666c7b0f000000010000002000000020d814fd5fc477ce74425e441d8f5b48d38db6f1dd119441bc35777689bd094c030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b0640200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e003000000000000b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f0072006900740079000000140000000100000014000000f352eacf816860c1097c4b852f4332dd93eb5d4f20000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 C:\Users\Admin\AppData\Roaming\78YtPQ2rBj.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 C:\Users\Admin\AppData\Roaming\78YtPQ2rBj.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 140000000100000014000000f352eacf816860c1097c4b852f4332dd93eb5d4f0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b0640f000000010000002000000020d814fd5fc477ce74425e441d8f5b48d38db6f1dd119441bc35777689bd094c20000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 C:\Users\Admin\AppData\Roaming\78YtPQ2rBj.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Roaming\78YtPQ2rBj.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Roaming\78YtPQ2rBj.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 C:\Users\Admin\AppData\Roaming\78YtPQ2rBj.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0f000000010000002000000020d814fd5fc477ce74425e441d8f5b48d38db6f1dd119441bc35777689bd094c030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b0640200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e003000000000000b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f007200690074007900000020000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 C:\Users\Admin\AppData\Roaming\78YtPQ2rBj.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\ZAtfFWRPhy.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\ZAtfFWRPhy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\ZAtfFWRPhy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000254001\penis.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000342001\rstxdhuj.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000354001\1ee85a88af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000322001\newbundle2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000322001\newbundle2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000355001\71fcc0fef8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000322001\newbundle2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000356001\neon.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000356001\neon.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000023001\ecad5f0362.exe N/A
N/A N/A C:\Users\Admin\1000026002\3cb397bd16.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000029001\8e06e7d8ce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000356001\neon.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000356001\neon.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000356001\neon.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000356001\neon.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000356001\neon.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000356001\neon.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000356001\neon.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000356001\neon.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000356001\neon.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000356001\neon.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000356001\neon.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\neon.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\neon.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\neon.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\neon.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000356001\neon.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000356001\neon.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\c936348145.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000254001\penis.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000254001\penis.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000254001\penis.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000254001\penis.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000254001\penis.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000254001\penis.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\ZAtfFWRPhy.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000342001\rstxdhuj.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000342001\rstxdhuj.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000322001\newbundle2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000356001\neon.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\neon.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\neon.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000355001\71fcc0fef8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\c936348145.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\c936348145.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\c936348145.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\c936348145.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\c936348145.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\c936348145.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\c936348145.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\c936348145.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\c936348145.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\c936348145.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\c936348145.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\c936348145.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\c936348145.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\c936348145.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\c936348145.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\c936348145.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\c936348145.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\c936348145.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\c936348145.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\c936348145.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\c936348145.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\c936348145.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\c936348145.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\c936348145.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\c936348145.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\c936348145.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\c936348145.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\c936348145.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\c936348145.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\c936348145.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\c936348145.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\c936348145.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\c936348145.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\c936348145.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\c936348145.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\c936348145.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\c936348145.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\c936348145.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\c936348145.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\c936348145.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\c936348145.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\c936348145.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\c936348145.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\c936348145.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\c936348145.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\c936348145.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\c936348145.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\c936348145.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\c936348145.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\c936348145.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\c936348145.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\c936348145.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\c936348145.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\c936348145.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\c936348145.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\c936348145.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\c936348145.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 376 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
PID 376 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
PID 376 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
PID 376 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
PID 2728 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe
PID 2728 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe
PID 2728 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe
PID 2728 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe
PID 1168 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1168 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1168 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1168 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1168 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1168 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1168 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1168 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1168 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1168 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1168 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1168 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2728 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000004001\12dsvc.exe
PID 2728 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000004001\12dsvc.exe
PID 2728 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000004001\12dsvc.exe
PID 2728 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000004001\12dsvc.exe
PID 2728 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe
PID 2728 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe
PID 2728 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe
PID 2728 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe
PID 1744 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\1000004001\12dsvc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1744 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\1000004001\12dsvc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1744 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\1000004001\12dsvc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1744 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\1000004001\12dsvc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1744 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\1000004001\12dsvc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1744 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\1000004001\12dsvc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1744 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\1000004001\12dsvc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1744 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\1000004001\12dsvc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1744 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\1000004001\12dsvc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1744 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\1000004001\12dsvc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1744 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\1000004001\12dsvc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1744 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\1000004001\12dsvc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1744 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\1000004001\12dsvc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1744 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\1000004001\12dsvc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2392 wrote to memory of 2184 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Roaming\78YtPQ2rBj.exe
PID 2392 wrote to memory of 2184 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Roaming\78YtPQ2rBj.exe
PID 2392 wrote to memory of 2184 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Roaming\78YtPQ2rBj.exe
PID 2392 wrote to memory of 2184 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Roaming\78YtPQ2rBj.exe
PID 2392 wrote to memory of 1660 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Roaming\ZAtfFWRPhy.exe
PID 2392 wrote to memory of 1660 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Roaming\ZAtfFWRPhy.exe
PID 2392 wrote to memory of 1660 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Roaming\ZAtfFWRPhy.exe
PID 2392 wrote to memory of 1660 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Roaming\ZAtfFWRPhy.exe
PID 2196 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
PID 2196 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
PID 2196 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
PID 2196 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
PID 2728 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe
PID 2728 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe
PID 2728 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe
PID 2728 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe
PID 2728 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000191001\needmoney.exe
PID 2728 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000191001\needmoney.exe
PID 2728 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000191001\needmoney.exe
PID 2728 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000191001\needmoney.exe
PID 2728 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000254001\penis.exe
PID 2728 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000254001\penis.exe

Processes

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

"C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"

C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe

"C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000004001\12dsvc.exe

"C:\Users\Admin\AppData\Local\Temp\1000004001\12dsvc.exe"

C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe

"C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Roaming\78YtPQ2rBj.exe

"C:\Users\Admin\AppData\Roaming\78YtPQ2rBj.exe"

C:\Users\Admin\AppData\Roaming\ZAtfFWRPhy.exe

"C:\Users\Admin\AppData\Roaming\ZAtfFWRPhy.exe"

C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe

"C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe"

C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe

"C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe"

C:\Users\Admin\AppData\Local\Temp\1000191001\needmoney.exe

"C:\Users\Admin\AppData\Local\Temp\1000191001\needmoney.exe"

C:\Users\Admin\AppData\Local\Temp\1000254001\penis.exe

"C:\Users\Admin\AppData\Local\Temp\1000254001\penis.exe"

C:\Users\Admin\AppData\Local\Temp\svchost015.exe

C:\Users\Admin\AppData\Local\Temp\svchost015.exe

C:\Users\Admin\AppData\Local\Temp\1000290001\crypted.exe

"C:\Users\Admin\AppData\Local\Temp\1000290001\crypted.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000314001\LummaC222222.exe

"C:\Users\Admin\AppData\Local\Temp\1000314001\LummaC222222.exe"

C:\Users\Admin\AppData\Local\Temp\1000322001\newbundle2.exe

"C:\Users\Admin\AppData\Local\Temp\1000322001\newbundle2.exe"

C:\Users\Admin\AppData\Local\Temp\1000342001\rstxdhuj.exe

"C:\Users\Admin\AppData\Local\Temp\1000342001\rstxdhuj.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 880 -s 800

C:\Users\Admin\AppData\Local\Temp\1000349001\cccc2.exe

"C:\Users\Admin\AppData\Local\Temp\1000349001\cccc2.exe"

C:\Users\Admin\AppData\Local\Temp\1000354001\1ee85a88af.exe

"C:\Users\Admin\AppData\Local\Temp\1000354001\1ee85a88af.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000355001\71fcc0fef8.exe

"C:\Users\Admin\AppData\Local\Temp\1000355001\71fcc0fef8.exe"

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"

C:\Users\Admin\AppData\Local\Temp\1000356001\neon.exe

"C:\Users\Admin\AppData\Local\Temp\1000356001\neon.exe"

C:\Users\Admin\AppData\Local\Temp\1000023001\ecad5f0362.exe

"C:\Users\Admin\AppData\Local\Temp\1000023001\ecad5f0362.exe"

C:\Users\Admin\1000026002\3cb397bd16.exe

"C:\Users\Admin\1000026002\3cb397bd16.exe"

C:\Users\Admin\AppData\Local\Temp\1000028001\c936348145.exe

"C:\Users\Admin\AppData\Local\Temp\1000028001\c936348145.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef2359758,0x7fef2359768,0x7fef2359778

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1164 --field-trial-handle=1368,i,2375523643958208243,2296717652332698991,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1504 --field-trial-handle=1368,i,2375523643958208243,2296717652332698991,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1600 --field-trial-handle=1368,i,2375523643958208243,2296717652332698991,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2120 --field-trial-handle=1368,i,2375523643958208243,2296717652332698991,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2132 --field-trial-handle=1368,i,2375523643958208243,2296717652332698991,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1464 --field-trial-handle=1368,i,2375523643958208243,2296717652332698991,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1304 --field-trial-handle=1368,i,2375523643958208243,2296717652332698991,131072 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\1000029001\8e06e7d8ce.exe

"C:\Users\Admin\AppData\Local\Temp\1000029001\8e06e7d8ce.exe"

C:\Windows\system32\cmd.exe

"cmd" /c ping 127.0.0.1 -n 7 > nul && REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "neon" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\neon.exe"

C:\Windows\system32\PING.EXE

ping 127.0.0.1 -n 7

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2792 --field-trial-handle=1368,i,2375523643958208243,2296717652332698991,131072 /prefetch:8

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"

C:\Windows\system32\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "neon" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\neon.exe"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"

C:\Users\Admin\AppData\Local\Temp\neon.exe

"C:\Users\Admin\AppData\Local\Temp\neon.exe"

C:\Users\Admin\AppData\Local\Temp\neon.exe

"C:\Users\Admin\AppData\Local\Temp\neon.exe"

Network

Country Destination Domain Proto
RU 185.215.113.16:80 185.215.113.16 tcp
RU 185.215.113.117:80 185.215.113.117 tcp
NL 194.116.215.195:80 194.116.215.195 tcp
DE 95.179.250.45:26212 tcp
RU 185.215.113.26:80 185.215.113.26 tcp
FI 65.21.18.51:45580 tcp
RU 185.215.113.26:80 185.215.113.26 tcp
RU 185.215.113.17:80 185.215.113.17 tcp
US 8.8.8.8:53 lootebarrkeyn.shop udp
US 8.8.8.8:53 gutterydhowi.shop udp
US 104.21.4.136:443 gutterydhowi.shop tcp
US 8.8.8.8:53 ghostreedmnu.shop udp
US 172.67.142.10:443 ghostreedmnu.shop tcp
US 8.8.8.8:53 offensivedzvju.shop udp
US 172.67.197.172:443 offensivedzvju.shop tcp
US 8.8.8.8:53 vozmeatillu.shop udp
US 172.67.203.144:443 vozmeatillu.shop tcp
US 8.8.8.8:53 drawzhotdog.shop udp
US 104.21.58.182:443 drawzhotdog.shop tcp
US 8.8.8.8:53 fragnantbui.shop udp
US 104.21.21.20:443 fragnantbui.shop tcp
US 8.8.8.8:53 stogeneratmns.shop udp
US 172.67.159.1:443 stogeneratmns.shop tcp
US 8.8.8.8:53 reinforcenh.shop udp
US 104.21.77.130:443 reinforcenh.shop tcp
US 8.8.8.8:53 steamcommunity.com udp
GB 23.214.143.155:443 steamcommunity.com tcp
US 8.8.8.8:53 ballotnwu.site udp
US 172.67.128.144:443 ballotnwu.site tcp
NL 89.105.223.196:29862 tcp
FI 95.216.143.20:12695 tcp
US 8.8.8.8:53 racedsuitreow.shop udp
US 172.67.135.143:443 defenddsouneuw.shop tcp
RU 185.215.113.67:15206 tcp
US 8.8.8.8:53 google.com udp
TM 91.202.233.158:80 91.202.233.158 tcp
RU 185.215.113.103:80 185.215.113.103 tcp
US 104.21.58.182:443 drawzhotdog.shop tcp
RU 185.215.113.37:80 185.215.113.37 tcp
US 104.21.4.136:443 gutterydhowi.shop tcp
US 172.67.142.10:443 ghostreedmnu.shop tcp
US 172.67.197.172:443 offensivedzvju.shop tcp
US 172.67.203.144:443 vozmeatillu.shop tcp
US 104.21.21.20:443 fragnantbui.shop tcp
US 172.67.159.1:443 stogeneratmns.shop tcp
US 104.21.77.130:443 reinforcenh.shop tcp
GB 23.214.143.155:443 steamcommunity.com tcp
US 172.67.128.144:443 ballotnwu.site tcp
RU 185.215.113.43:80 185.215.113.43 tcp
RU 185.215.113.103:80 185.215.113.103 tcp
RU 185.215.113.37:80 185.215.113.37 tcp
DE 95.179.250.45:26212 tcp
RU 185.215.113.37:80 185.215.113.37 tcp
RU 185.215.113.16:80 185.215.113.16 tcp
US 8.8.8.8:53 youtube.com udp
GB 142.250.179.238:443 youtube.com tcp
US 8.8.8.8:53 www.youtube.com udp
US 8.8.8.8:53 consent.youtube.com udp
GB 142.250.187.238:443 consent.youtube.com tcp
US 8.8.8.8:53 www.google.com udp
GB 142.250.180.4:443 www.google.com tcp
N/A 224.0.0.251:5353 udp
GB 142.250.187.238:443 consent.youtube.com udp
DE 95.179.250.45:26212 tcp
US 8.8.8.8:53 play.google.com udp
GB 172.217.16.238:443 play.google.com tcp
DE 95.179.250.45:26212 tcp
GB 142.250.187.238:443 consent.youtube.com udp
US 8.8.8.8:53 beacons.gcp.gvt2.com udp
GB 216.58.213.3:443 beacons.gcp.gvt2.com tcp
DE 95.179.250.45:26212 tcp
DE 95.179.250.45:26212 tcp

Files

memory/376-0-0x0000000000DB0000-0x0000000001250000-memory.dmp

memory/376-1-0x0000000077890000-0x0000000077892000-memory.dmp

memory/376-2-0x0000000000DB1000-0x0000000000DDF000-memory.dmp

memory/376-3-0x0000000000DB0000-0x0000000001250000-memory.dmp

memory/376-5-0x0000000000DB0000-0x0000000001250000-memory.dmp

memory/376-10-0x0000000000DB0000-0x0000000001250000-memory.dmp

\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

MD5 2dbfc6089fd5e3b1aa8a004508a16a37
SHA1 20331e184251ff628c6e3593511fc6ab93349058
SHA256 99bc61afdb7382ac8d7f9da3bb87ca552fe8596ded65bf39a81d2f7839bbc3d6
SHA512 03f5390778ce28d28d6e4c60af50f0ee32f1e4adf1b0ea1958bd9897db919f63817f1a0df8b4b4ae03ac90d4e797a2a1db380f9fce9d6ef33575101c4a640629

memory/376-17-0x0000000000DB0000-0x0000000001250000-memory.dmp

memory/2728-18-0x0000000000A00000-0x0000000000EA0000-memory.dmp

memory/376-14-0x0000000006DF0000-0x0000000007290000-memory.dmp

memory/2728-19-0x0000000000A00000-0x0000000000EA0000-memory.dmp

memory/2728-20-0x0000000000A00000-0x0000000000EA0000-memory.dmp

memory/2728-21-0x0000000000A00000-0x0000000000EA0000-memory.dmp

memory/2728-22-0x0000000000A00000-0x0000000000EA0000-memory.dmp

memory/2728-25-0x0000000000A00000-0x0000000000EA0000-memory.dmp

memory/2728-24-0x0000000000A00000-0x0000000000EA0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe

MD5 389881b424cf4d7ec66de13f01c7232a
SHA1 d3bc5a793c1b8910e1ecc762b69b3866e4c5ba78
SHA256 9d1211b3869ca43840b7da1677b257ad37521aab47719c6fcfe343121760b746
SHA512 2b9517d5d9d972e8754a08863a29e3d3e3cfde58e20d433c85546c2298aad50ac8b069cafd5abb3c86e24263d662c6e1ea23c0745a2668dfd215ddbdfbd1ab96

memory/1168-40-0x0000000000E10000-0x0000000000E64000-memory.dmp

memory/1948-43-0x0000000000400000-0x0000000000452000-memory.dmp

memory/1948-47-0x0000000000400000-0x0000000000452000-memory.dmp

memory/1948-45-0x0000000000400000-0x0000000000452000-memory.dmp

memory/1948-52-0x0000000000400000-0x0000000000452000-memory.dmp

memory/1948-55-0x0000000000400000-0x0000000000452000-memory.dmp

memory/1948-54-0x0000000000400000-0x0000000000452000-memory.dmp

memory/1948-49-0x0000000000400000-0x0000000000452000-memory.dmp

memory/1948-51-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Tmp6DA2.tmp

MD5 1420d30f964eac2c85b2ccfe968eebce
SHA1 bdf9a6876578a3e38079c4f8cf5d6c79687ad750
SHA256 f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9
SHA512 6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

C:\Users\Admin\AppData\Local\Temp\1000004001\12dsvc.exe

MD5 84263ab03b0a0f2b51cc11b93ec49c9f
SHA1 e6457eb0e0131bec70a2fd4d4a943314f0bd28d4
SHA256 7d6e4e01c452dd502361640ee095e2bee35e3f55fd11edc9e94c3580d2c132b5
SHA512 db35a02345b5166077e300524675c523a8b4082fa62fc151c0797141348cae5e173eeaec5ad1e95556e048ea6ed34a78b90b1184420557c53cd91f351417ebb2

memory/1744-83-0x0000000000FA0000-0x0000000001082000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe

MD5 f5d7b79ee6b6da6b50e536030bcc3b59
SHA1 751b555a8eede96d55395290f60adc43b28ba5e2
SHA256 2f1aff28961ba0ce85ea0e35b8936bc387f84f459a4a1d63d964ce79e34b8459
SHA512 532b17cd2a6ac5172b1ddba1e63edd51ab53a4527204415241e3a78e8ffeb9728071bde5ae1eefabefd2627f00963f8a5458668cd7b8df041c8683252ff56b46

memory/2392-115-0x0000000000400000-0x00000000004DE000-memory.dmp

memory/2392-114-0x0000000000400000-0x00000000004DE000-memory.dmp

memory/2392-112-0x0000000000400000-0x00000000004DE000-memory.dmp

memory/2392-111-0x0000000000400000-0x00000000004DE000-memory.dmp

memory/2392-108-0x0000000000400000-0x00000000004DE000-memory.dmp

memory/2392-106-0x0000000000400000-0x00000000004DE000-memory.dmp

memory/2392-104-0x0000000000400000-0x00000000004DE000-memory.dmp

memory/2392-102-0x0000000000400000-0x00000000004DE000-memory.dmp

memory/2392-100-0x0000000000400000-0x00000000004DE000-memory.dmp

memory/2392-98-0x0000000000400000-0x00000000004DE000-memory.dmp

memory/1660-140-0x0000000000CF0000-0x0000000000D42000-memory.dmp

C:\Users\Admin\AppData\Roaming\78YtPQ2rBj.exe

MD5 a3ef9920a91b891837705e46bb26de17
SHA1 9cfbcd0f46ec86fb57d3d6d74a064f9098adf117
SHA256 171cef885f6c285e995ce3ec5960c5ea4e4ed049cec362745058fee39e4136cc
SHA512 c65e91091b95c3aba0af7df4ed6543d26bcb5b54d6fab82f9d2ac1ba156f475f98124a1a0e8851d69be23b1dc945c76c075cd32515203273260802e1224dbd6e

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2703099537-420551529-3771253338-1000\76b53b3ec448f7ccdda2063b15d2bfc3_4b15cc6c-8bd6-4727-90f6-cf303c4bde6d

MD5 404e2d7dad5c275fee501c14d286d093
SHA1 487c8939b13381f828ff605268eac42db16470d7
SHA256 fa7c6103f546191991b3f1e22c974bb0e5ed365862dcd05aa3834e290a5b8eab
SHA512 53d61ff4be0a358a9e74ee74aeba7f1f66abdb6cdd44763fb8a4b40d91c7eed7209d5df4e2f8b3ec1c155a8edabfd5aa265c75089da43dd6fc0b78ebc1874d5a

C:\Users\Public\Desktop\Google Chrome.lnk

MD5 384efb2c6633c4b0feb86f770bbe9618
SHA1 af7c252ee547235a21128e104e2cef079ed14d89
SHA256 7eb49628c726097f09455973e3da9176e4f968995c740a67862d75ce127a0e1c
SHA512 ec0850390ab23d7e2daa6530cdf9f0875c55a88e3ba9133f450d86d0fcfb35303e6bba632107952e23ff952e17e48b5cd0a8ad948263a843cba8697da0a6e3bd

C:\Users\Admin\AppData\Roaming\ZAtfFWRPhy.exe

MD5 4e60f3fd76d9eab244f9dc00f7765b0b
SHA1 1a154d6e837e7105c551793131cde89f157c4330
SHA256 d6945846cc23c01b9c9ad2b97d35b5a14c01f1a4cc2ec651a596f06777ba4fec
SHA512 44727e25781f448579ac35aab94aff550ed9fe5ac58d95bd394569c62892dc78216ac687baa43cef66187ebe629f5dd9cd63ea274222d11dbef3440ec4d7f77a

memory/2392-137-0x0000000000400000-0x00000000004DE000-memory.dmp

memory/1744-97-0x0000000002490000-0x0000000004490000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe

MD5 7a02aa17200aeac25a375f290a4b4c95
SHA1 7cc94ca64268a9a9451fb6b682be42374afc22fd
SHA256 836799fd760eba25e15a55c75c50b977945c557065a708317e00f2c8f965339e
SHA512 f6ebfe7e087aa354722cea3fddd99b1883a862fb92bb5a5a86782ea846a1bff022ab7db4397930bcabaa05cb3d817de3a89331d41a565bc1da737f2c5e3720b6

memory/1052-179-0x0000000001060000-0x00000000012A3000-memory.dmp

memory/2728-180-0x0000000000A00000-0x0000000000EA0000-memory.dmp

memory/2728-178-0x00000000066A0000-0x00000000068E3000-memory.dmp

memory/2728-177-0x00000000066A0000-0x00000000068E3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000191001\needmoney.exe

MD5 7fa5c660d124162c405984d14042506f
SHA1 69f0dff06ff1911b97a2a0aa4ca9046b722c6b2f
SHA256 fd3edfaff77dd969e3e0d086495e4c742d00e111df9f935ed61dfba8392584b2
SHA512 d50848adbfe75f509414acc97096dad191ae4cef54752bdddcb227ffc0f59bfd2770561e7b3c2a14f4a1423215f05847206ad5c242c7fd5b0655edf513b22f6c

memory/2728-196-0x0000000000A00000-0x0000000000EA0000-memory.dmp

memory/1052-198-0x0000000061E00000-0x0000000061EF3000-memory.dmp

memory/2728-221-0x0000000000A00000-0x0000000000EA0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000254001\penis.exe

MD5 a21700718c70ec5e787ad373cb72a757
SHA1 027554ab5ff3245e7617f3b83d6548bf7919f92e
SHA256 87e639ecc7704cb5e29f1ebb1d8ade3ae863aaa2505a37b28f2d45121da500c6
SHA512 ea292a5442d9fe536e650a2bc5142dd3aef79c66930243897e0e87c57915f0a54e45e03e58daffb473f85fe10b963d4670050bff5ab3f91121d21d463e25659b

memory/1944-242-0x00000000000C0000-0x000000000012C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab8A47.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\1000290001\crypted.exe

MD5 ff5afed0a8b802d74af1c1422c720446
SHA1 7135acfa641a873cb0c4c37afc49266bfeec91d8
SHA256 17ac37b4946539fa7fa68b12bd80946d340497a7971802b5848830ad99ea1e10
SHA512 11724d26e11b3146e0fc947c06c59c004c015de0afea24ec28a4eb8145fcd51e9b70007e17621c83f406d9aeb7cd96601245671d41c3fcc88a27c33bd7cf55ac

C:\Users\Admin\AppData\Local\Temp\Tar8A89.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

\Users\Admin\AppData\Local\Temp\svchost015.exe

MD5 b826dd92d78ea2526e465a34324ebeea
SHA1 bf8a0093acfd2eb93c102e1a5745fb080575372e
SHA256 7824b50acdd144764dac7445a4067b35cf0fef619e451045ab6c1f54f5653a5b
SHA512 1ac4b731b9b31cabf3b1c43aee37206aee5326c8e786abe2ab38e031633b778f97f2d6545cf745c3066f3bd47b7aaf2ded2f9955475428100eaf271dd9aeef17

memory/2220-309-0x0000000000400000-0x0000000000643000-memory.dmp

memory/2728-299-0x0000000000A00000-0x0000000000EA0000-memory.dmp

memory/2728-298-0x0000000000A00000-0x0000000000EA0000-memory.dmp

memory/2220-297-0x0000000000400000-0x0000000000643000-memory.dmp

memory/3000-296-0x0000000000400000-0x000000000081B000-memory.dmp

memory/2220-294-0x0000000000400000-0x0000000000643000-memory.dmp

memory/2220-292-0x0000000000400000-0x0000000000643000-memory.dmp

memory/2220-290-0x0000000000400000-0x0000000000643000-memory.dmp

memory/2220-288-0x0000000000400000-0x0000000000643000-memory.dmp

memory/2220-286-0x0000000000400000-0x0000000000643000-memory.dmp

memory/2728-282-0x0000000000A00000-0x0000000000EA0000-memory.dmp

memory/840-318-0x00000000001C0000-0x0000000000214000-memory.dmp

memory/1756-324-0x0000000000400000-0x0000000000452000-memory.dmp

memory/1756-322-0x0000000000400000-0x0000000000452000-memory.dmp

memory/1756-332-0x0000000000400000-0x0000000000452000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000314001\LummaC222222.exe

MD5 2f1d09f64218fffe7243a8b44345b27e
SHA1 72553e1b3a759c17f54e7b568f39b3f8f1b1cdbe
SHA256 4a553c39728410eb0ebd5e530fc47ef1bdf4b11848a69889e8301974fc26cde2
SHA512 5871e2925ca8375f3c3ce368c05eb67796e1fbec80649d3cc9c39b57ee33f46476d38d3ea8335e2f5518c79f27411a568209f9f6ef38a56650c7436bbaa3f909

\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5cb76eabaaf011aa7fd20c717ede9808
SHA1 f51b2a146d261c5e9c913a9026799b41942530e3
SHA256 36ce0dd555f9e04bfb7c5f39f2a75b0dcb66e79384615d1f24aff0f0ae5d9c62
SHA512 94e29fe94e2429391b547fbdaf2d104c5b3b644dda593fbf5738b070bbb655624e058b05191c19211629f33de9e76d5f629826f2f5d5161677c483a675fa47c2

C:\Users\Admin\AppData\Local\Temp\1000322001\newbundle2.exe

MD5 58e8b2eb19704c5a59350d4ff92e5ab6
SHA1 171fc96dda05e7d275ec42840746258217d9caf0
SHA256 07d4b7768e13d79ac5f05f81167b29bb6fbf97828a289d8d11eec38939846834
SHA512 e7655762c5f2d10ec246d11f82d437a2717ad05be847b5e0fd055e3241caaca85430f424055b343e3a44c90d76a0ba07a6913c2208f374f59b61f8aa4477889f

memory/2140-417-0x0000000000850000-0x00000000008A2000-memory.dmp

memory/1052-432-0x0000000001060000-0x00000000012A3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000342001\rstxdhuj.exe

MD5 1ef39c8bc5799aa381fe093a1f2d532a
SHA1 57eabb02a7c43c9682988227dd470734cc75edb2
SHA256 0cced5b50789fca3ad4b2c151b798363d712da04c377bd704dcef4898e66b2b4
SHA512 13a9c267c4ceb2bd176f1339faa035ffeb08936deeeb4e38252ea43cfe487ea1c1876e4cc2a965548e767af02805a1da62885e6538da056be0c6fae33b637682

memory/880-447-0x0000000001310000-0x0000000001408000-memory.dmp

memory/880-448-0x0000000005040000-0x000000000512E000-memory.dmp

memory/880-1526-0x0000000000D10000-0x0000000000D5C000-memory.dmp

memory/880-1525-0x00000000011B0000-0x0000000001218000-memory.dmp

memory/880-1527-0x0000000001220000-0x0000000001274000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000349001\cccc2.exe

MD5 6b470f7251aa9c14d7daea8f6446e217
SHA1 a256c54d4dd7e0a7a1582d8fdfef5807bc3c4af4
SHA256 8b9097b795d42c49c3b2c560714226361671a3f1d711faa9aeaee20e22e7095f
SHA512 fdc553c9d2ff19343dd99b0b34c875752df4fa0cbd494096aeb51d859bd102448f1a5043a53a808045ae52077f180546a134b1aa69db4dc04aff2610fadeaca4

memory/2220-1549-0x0000000000400000-0x0000000000643000-memory.dmp

memory/5996-1551-0x0000000000D20000-0x0000000000D80000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000354001\1ee85a88af.exe

MD5 2ff9d81435c7d755cb5a6b975ed50ce6
SHA1 a588fbde21ac7335c3b516db6ccaa783eb2a088c
SHA256 162e527a19799d2d3ace95ca315eba1ffa0fd4fd3eac247a26b41212033b2863
SHA512 46688a8fb90c3b3bcb926e6b37129ebd45297283150e61450b685f792d20f7d5d2d88ea2487f73dd76d6e20b513f43ba143ff9d321b47f4f4563287e02a9e235

memory/2728-1569-0x0000000006BF0000-0x0000000007299000-memory.dmp

memory/2728-1570-0x0000000006BF0000-0x0000000007299000-memory.dmp

memory/2040-1572-0x00000000001F0000-0x0000000000899000-memory.dmp

memory/2040-1590-0x00000000001F0000-0x0000000000899000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000355001\71fcc0fef8.exe

MD5 0b827d78c350317ad56fd6766cad6d6b
SHA1 945e3976cf4ea5c49be33b937b99db681c8c6ea3
SHA256 5376f10da390a072fa7e46618705e38c8e4854a7d6cf89d82e5df409a22c033b
SHA512 56f6c01386a83affd9944885091b088f83f122a0fe12683e3638b4cdfb5e4d2029703206ae1c8425283a8b6c30ea1ac5e526c9f3fb0a885e093be8feff592bc6

memory/3600-1604-0x0000000000E10000-0x00000000012CD000-memory.dmp

memory/2728-1603-0x0000000006BF0000-0x00000000070AD000-memory.dmp

memory/3600-1613-0x0000000000E10000-0x00000000012CD000-memory.dmp

memory/4052-1614-0x00000000009C0000-0x0000000000E7D000-memory.dmp

memory/2728-1615-0x0000000006BF0000-0x0000000007299000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000356001\neon.exe

MD5 b3fd0e1003b1cd38402b6d32829f6135
SHA1 c9cedd6322fb83457f56b64b4624b07e2786f702
SHA256 e4a36be98f730d706d2ca97a5d687329a1cc7d4848daf698b7e21b6b9b577f31
SHA512 04692e0f80a75f78b533677cefe3db6607108abf19963d88e231925cfa13f1ec054811aebe53c82d238e732a999cd8d176107d50cf2ea5694d4177cbfd3b30f1

memory/4468-1636-0x00000000008F0000-0x0000000000C6C000-memory.dmp

memory/4468-1640-0x0000000022520000-0x00000000225BE000-memory.dmp

memory/4744-1658-0x0000000000960000-0x0000000001009000-memory.dmp

memory/4052-1657-0x0000000006BC0000-0x0000000007269000-memory.dmp

memory/2728-1659-0x0000000006BF0000-0x00000000070AD000-memory.dmp

memory/4052-1656-0x0000000006BC0000-0x0000000007269000-memory.dmp

memory/4744-1661-0x0000000000960000-0x0000000001009000-memory.dmp

memory/4052-1676-0x00000000009C0000-0x0000000000E7D000-memory.dmp

memory/4052-1675-0x0000000006BC0000-0x0000000007269000-memory.dmp

memory/4052-1674-0x0000000006BC0000-0x0000000007269000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000028001\c936348145.exe

MD5 cda0b8ef0af532cf29045c06142ce1f8
SHA1 39b7bd4dadc3172152d727dd9633916ae1a8fd7d
SHA256 3129cc8fa8430ac67ed710a05d4227d636612387b02125b8006117c40c79e5b6
SHA512 40f6209a1b41e952eb5b96cadcfa87bdc5a9ceaf7f1f438beff20378d620eada3031485b179ef58920d23d6563324269206a2243d0cfb3ad58811827d39071f2

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\CURRENT

MD5 18e723571b00fb1694a3bad6c78e4054
SHA1 afcc0ef32d46fe59e0483f9a3c891d3034d12f32
SHA256 8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa
SHA512 43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

MD5 f50f89a0a91564d0b8a211f8921aa7de
SHA1 112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256 b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512 bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

memory/4468-1767-0x00000000237F0000-0x000000002380A000-memory.dmp

memory/4468-1770-0x00000000230B0000-0x00000000230B6000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

MD5 aefd77f47fb84fae5ea194496b44c67a
SHA1 dcfbb6a5b8d05662c4858664f81693bb7f803b82
SHA256 4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611
SHA512 b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

memory/1988-1857-0x0000000000C90000-0x0000000000CAA000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\bb0fb389-bfce-4a66-82e4-4d6d75062336.tmp

MD5 241402519f1a456dc3796ab367b6b0d8
SHA1 214c572e32aee0d3224bd19e1460c36377f57873
SHA256 d536aae9a5bb5dfaa3f8b9ebbcbe8608f9d2b955d66a6caf01bf6aa2b47f7e1f
SHA512 b195f3e60ea3f2c4f5c8e74577e5bdc8e38548beeff25d9e9328cb1eefeb24f9ab161b9d2108d38fb3bb3758c9df7e0c27989822aa29b4166696ebbfe0180793

memory/2728-1875-0x00000000066A0000-0x00000000068E3000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-27 07:48

Reported

2024-09-27 07:50

Platform

win10v2004-20240802-en

Max time kernel

150s

Max time network

147s

Command Line

C:\Windows\Explorer.EXE

Signatures

Amadey

trojan amadey

AsyncRat

rat asyncrat

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

Lumma Stealer, LummaC

stealer lumma

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Stealc

stealer stealc

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 5012 created 3388 N/A C:\Users\Admin\AppData\Local\Temp\1000342001\rstxdhuj.exe C:\Windows\Explorer.EXE

Xworm

trojan rat xworm

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1000355001\ecad5f0362.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\1000026002\6b0f3adeb2.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1000029001\78305aca71.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1000354001\f160aea806.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1000023001\917086e598.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1000354001\f160aea806.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1000354001\f160aea806.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1000029001\78305aca71.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1000355001\ecad5f0362.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\1000026002\6b0f3adeb2.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1000029001\78305aca71.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1000355001\ecad5f0362.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1000023001\917086e598.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1000023001\917086e598.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\1000026002\6b0f3adeb2.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1000028001\b034620509.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1000355001\ecad5f0362.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1000356001\neon.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\neon.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000004001\12dsvc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\tpK5jyT5Rd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CFvbTXbM2h.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000065001\stories.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-TMB2Q.tmp\stories.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000191001\needmoney.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000254001\penis.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Fido Video Recorder\gerdaplay3se.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000290001\crypted.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost015.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000314001\LummaC222222.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000322001\newbundle2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000342001\rstxdhuj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000349001\cccc2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000354001\f160aea806.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000355001\ecad5f0362.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000023001\917086e598.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000356001\neon.exe N/A
N/A N/A C:\Users\Admin\1000026002\6b0f3adeb2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\b034620509.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000029001\78305aca71.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\neon.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\neon.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1000023001\917086e598.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Wine C:\Users\Admin\1000026002\6b0f3adeb2.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1000029001\78305aca71.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1000354001\f160aea806.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1000355001\ecad5f0362.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Unexpected DNS network traffic destination

Description Indicator Process Target
Destination IP 91.211.247.248 N/A N/A

Unsecured Credentials: Credentials In Files

credential_access stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ecad5f0362.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000355001\\ecad5f0362.exe" C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\917086e598.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000023001\\917086e598.exe" C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\6b0f3adeb2.exe = "C:\\Users\\Admin\\1000026002\\6b0f3adeb2.exe" C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\b034620509.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000028001\\b034620509.exe" C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\neon = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\neon.exe" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ylrdnrwcx = "C:\\Users\\Admin\\AppData\\Roaming\\Ylrdnrwcx.exe" C:\Users\Admin\AppData\Local\Temp\1000342001\rstxdhuj.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f160aea806.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000354001\\f160aea806.exe" C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\axplong.job C:\Users\Admin\AppData\Local\Temp\file.exe N/A
File created C:\Windows\Tasks\Hkbsse.job C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe N/A
File created C:\Windows\Tasks\skotes.job C:\Users\Admin\AppData\Local\Temp\1000355001\ecad5f0362.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Fido Video Recorder\gerdaplay3se.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000314001\LummaC222222.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000349001\cccc2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000354001\f160aea806.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\neon.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000004001\12dsvc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000065001\stories.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000322001\newbundle2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000342001\rstxdhuj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000191001\needmoney.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000254001\penis.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000023001\917086e598.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000029001\78305aca71.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\tpK5jyT5Rd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\CFvbTXbM2h.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\svchost015.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000355001\ecad5f0362.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\1000026002\6b0f3adeb2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000028001\b034620509.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-TMB2Q.tmp\stories.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000290001\crypted.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\neon.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\cmd.exe N/A
N/A N/A C:\Windows\system32\PING.EXE N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133718969322561339" C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-TMB2Q.tmp\stories.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-TMB2Q.tmp\stories.tmp N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CFvbTXbM2h.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CFvbTXbM2h.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CFvbTXbM2h.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CFvbTXbM2h.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CFvbTXbM2h.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CFvbTXbM2h.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CFvbTXbM2h.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CFvbTXbM2h.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CFvbTXbM2h.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CFvbTXbM2h.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CFvbTXbM2h.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CFvbTXbM2h.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\b034620509.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000254001\penis.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000254001\penis.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000254001\penis.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000254001\penis.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000254001\penis.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000254001\penis.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\CFvbTXbM2h.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000342001\rstxdhuj.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000342001\rstxdhuj.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000322001\newbundle2.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000356001\neon.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-TMB2Q.tmp\stories.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\b034620509.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\b034620509.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\b034620509.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\b034620509.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\b034620509.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\b034620509.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\b034620509.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\b034620509.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\b034620509.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\b034620509.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\b034620509.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\b034620509.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\b034620509.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\b034620509.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\b034620509.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\b034620509.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\b034620509.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\b034620509.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\b034620509.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\b034620509.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\b034620509.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\b034620509.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\b034620509.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\b034620509.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\b034620509.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\b034620509.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\b034620509.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\b034620509.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\b034620509.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\b034620509.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\b034620509.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\b034620509.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\b034620509.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\b034620509.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\b034620509.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\b034620509.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\b034620509.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\b034620509.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\b034620509.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\b034620509.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\b034620509.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\b034620509.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\b034620509.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\b034620509.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\b034620509.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\b034620509.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\b034620509.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\b034620509.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\b034620509.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\b034620509.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\b034620509.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\b034620509.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\b034620509.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\b034620509.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\b034620509.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\b034620509.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\b034620509.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\b034620509.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\b034620509.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\b034620509.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\b034620509.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\b034620509.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\b034620509.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\b034620509.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\b034620509.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\b034620509.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\b034620509.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\b034620509.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\b034620509.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\b034620509.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\b034620509.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\b034620509.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\b034620509.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000028001\b034620509.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3920 wrote to memory of 6136 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
PID 3920 wrote to memory of 6136 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
PID 3920 wrote to memory of 6136 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
PID 6136 wrote to memory of 5948 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe
PID 6136 wrote to memory of 5948 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe
PID 6136 wrote to memory of 5948 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe
PID 5948 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5948 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5948 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5948 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5948 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5948 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5948 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5948 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 6136 wrote to memory of 5436 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000004001\12dsvc.exe
PID 6136 wrote to memory of 5436 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000004001\12dsvc.exe
PID 6136 wrote to memory of 5436 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000004001\12dsvc.exe
PID 6136 wrote to memory of 5988 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe
PID 6136 wrote to memory of 5988 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe
PID 6136 wrote to memory of 5988 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe
PID 5436 wrote to memory of 4748 N/A C:\Users\Admin\AppData\Local\Temp\1000004001\12dsvc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5436 wrote to memory of 4748 N/A C:\Users\Admin\AppData\Local\Temp\1000004001\12dsvc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5436 wrote to memory of 4748 N/A C:\Users\Admin\AppData\Local\Temp\1000004001\12dsvc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5436 wrote to memory of 4748 N/A C:\Users\Admin\AppData\Local\Temp\1000004001\12dsvc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5436 wrote to memory of 4748 N/A C:\Users\Admin\AppData\Local\Temp\1000004001\12dsvc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5436 wrote to memory of 4748 N/A C:\Users\Admin\AppData\Local\Temp\1000004001\12dsvc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5436 wrote to memory of 4748 N/A C:\Users\Admin\AppData\Local\Temp\1000004001\12dsvc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5436 wrote to memory of 4748 N/A C:\Users\Admin\AppData\Local\Temp\1000004001\12dsvc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5436 wrote to memory of 4748 N/A C:\Users\Admin\AppData\Local\Temp\1000004001\12dsvc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5436 wrote to memory of 4748 N/A C:\Users\Admin\AppData\Local\Temp\1000004001\12dsvc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4748 wrote to memory of 5252 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Roaming\tpK5jyT5Rd.exe
PID 4748 wrote to memory of 5252 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Roaming\tpK5jyT5Rd.exe
PID 4748 wrote to memory of 5252 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Roaming\tpK5jyT5Rd.exe
PID 4748 wrote to memory of 5572 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Roaming\CFvbTXbM2h.exe
PID 4748 wrote to memory of 5572 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Roaming\CFvbTXbM2h.exe
PID 4748 wrote to memory of 5572 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Roaming\CFvbTXbM2h.exe
PID 5988 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
PID 5988 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
PID 5988 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
PID 6136 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe
PID 6136 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe
PID 6136 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe
PID 2776 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe C:\Users\Admin\AppData\Local\Temp\1000065001\stories.exe
PID 2776 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe C:\Users\Admin\AppData\Local\Temp\1000065001\stories.exe
PID 2776 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe C:\Users\Admin\AppData\Local\Temp\1000065001\stories.exe
PID 2568 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\1000065001\stories.exe C:\Users\Admin\AppData\Local\Temp\is-TMB2Q.tmp\stories.tmp
PID 2568 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\1000065001\stories.exe C:\Users\Admin\AppData\Local\Temp\is-TMB2Q.tmp\stories.tmp
PID 2568 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\1000065001\stories.exe C:\Users\Admin\AppData\Local\Temp\is-TMB2Q.tmp\stories.tmp
PID 6136 wrote to memory of 3920 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000191001\needmoney.exe
PID 6136 wrote to memory of 3920 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000191001\needmoney.exe
PID 6136 wrote to memory of 3920 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000191001\needmoney.exe
PID 6136 wrote to memory of 4872 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000254001\penis.exe
PID 6136 wrote to memory of 4872 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000254001\penis.exe
PID 6136 wrote to memory of 4872 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000254001\penis.exe
PID 1796 wrote to memory of 5896 N/A C:\Users\Admin\AppData\Local\Temp\is-TMB2Q.tmp\stories.tmp C:\Users\Admin\AppData\Local\Fido Video Recorder\gerdaplay3se.exe
PID 1796 wrote to memory of 5896 N/A C:\Users\Admin\AppData\Local\Temp\is-TMB2Q.tmp\stories.tmp C:\Users\Admin\AppData\Local\Fido Video Recorder\gerdaplay3se.exe
PID 1796 wrote to memory of 5896 N/A C:\Users\Admin\AppData\Local\Temp\is-TMB2Q.tmp\stories.tmp C:\Users\Admin\AppData\Local\Fido Video Recorder\gerdaplay3se.exe
PID 6136 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000290001\crypted.exe
PID 6136 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000290001\crypted.exe
PID 6136 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000290001\crypted.exe
PID 3920 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\1000191001\needmoney.exe C:\Users\Admin\AppData\Local\Temp\svchost015.exe
PID 3920 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\1000191001\needmoney.exe C:\Users\Admin\AppData\Local\Temp\svchost015.exe
PID 3920 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\1000191001\needmoney.exe C:\Users\Admin\AppData\Local\Temp\svchost015.exe
PID 3920 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\1000191001\needmoney.exe C:\Users\Admin\AppData\Local\Temp\svchost015.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe N/A

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

"C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"

C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe

"C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000004001\12dsvc.exe

"C:\Users\Admin\AppData\Local\Temp\1000004001\12dsvc.exe"

C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe

"C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Roaming\tpK5jyT5Rd.exe

"C:\Users\Admin\AppData\Roaming\tpK5jyT5Rd.exe"

C:\Users\Admin\AppData\Roaming\CFvbTXbM2h.exe

"C:\Users\Admin\AppData\Roaming\CFvbTXbM2h.exe"

C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe

"C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe"

C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe

"C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3820,i,2904906934812054273,11716976550456127484,262144 --variations-seed-version --mojo-platform-channel-handle=1424 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\1000065001\stories.exe

"C:\Users\Admin\AppData\Local\Temp\1000065001\stories.exe"

C:\Users\Admin\AppData\Local\Temp\is-TMB2Q.tmp\stories.tmp

"C:\Users\Admin\AppData\Local\Temp\is-TMB2Q.tmp\stories.tmp" /SL5="$F0238,3580803,56832,C:\Users\Admin\AppData\Local\Temp\1000065001\stories.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --field-trial-handle=2332,i,2904906934812054273,11716976550456127484,262144 --variations-seed-version --mojo-platform-channel-handle=3052 /prefetch:3

C:\Users\Admin\AppData\Local\Temp\1000191001\needmoney.exe

"C:\Users\Admin\AppData\Local\Temp\1000191001\needmoney.exe"

C:\Users\Admin\AppData\Local\Temp\1000254001\penis.exe

"C:\Users\Admin\AppData\Local\Temp\1000254001\penis.exe"

C:\Users\Admin\AppData\Local\Fido Video Recorder\gerdaplay3se.exe

"C:\Users\Admin\AppData\Local\Fido Video Recorder\gerdaplay3se.exe" -i

C:\Users\Admin\AppData\Local\Temp\1000290001\crypted.exe

"C:\Users\Admin\AppData\Local\Temp\1000290001\crypted.exe"

C:\Users\Admin\AppData\Local\Temp\svchost015.exe

C:\Users\Admin\AppData\Local\Temp\svchost015.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000314001\LummaC222222.exe

"C:\Users\Admin\AppData\Local\Temp\1000314001\LummaC222222.exe"

C:\Users\Admin\AppData\Local\Temp\1000322001\newbundle2.exe

"C:\Users\Admin\AppData\Local\Temp\1000322001\newbundle2.exe"

C:\Users\Admin\AppData\Local\Temp\1000342001\rstxdhuj.exe

"C:\Users\Admin\AppData\Local\Temp\1000342001\rstxdhuj.exe"

C:\Users\Admin\AppData\Local\Temp\1000349001\cccc2.exe

"C:\Users\Admin\AppData\Local\Temp\1000349001\cccc2.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3440 -ip 3440

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3440 -s 1220

C:\Users\Admin\AppData\Local\Temp\1000354001\f160aea806.exe

"C:\Users\Admin\AppData\Local\Temp\1000354001\f160aea806.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000355001\ecad5f0362.exe

"C:\Users\Admin\AppData\Local\Temp\1000355001\ecad5f0362.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe'

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'InstallUtil.exe'

C:\Users\Admin\AppData\Local\Temp\1000023001\917086e598.exe

"C:\Users\Admin\AppData\Local\Temp\1000023001\917086e598.exe"

C:\Users\Admin\AppData\Local\Temp\1000356001\neon.exe

"C:\Users\Admin\AppData\Local\Temp\1000356001\neon.exe"

C:\Users\Admin\1000026002\6b0f3adeb2.exe

"C:\Users\Admin\1000026002\6b0f3adeb2.exe"

C:\Users\Admin\AppData\Local\Temp\1000028001\b034620509.exe

"C:\Users\Admin\AppData\Local\Temp\1000028001\b034620509.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ff9c6efcc40,0x7ff9c6efcc4c,0x7ff9c6efcc58

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1876,i,11588121819490018887,14258175428082381418,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1900 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2184,i,11588121819490018887,14258175428082381418,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2220 /prefetch:3

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2264,i,11588121819490018887,14258175428082381418,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2460 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3148,i,11588121819490018887,14258175428082381418,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3184 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3156,i,11588121819490018887,14258175428082381418,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3216 /prefetch:1

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"

C:\Users\Admin\AppData\Local\Temp\1000029001\78305aca71.exe

"C:\Users\Admin\AppData\Local\Temp\1000029001\78305aca71.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4576,i,11588121819490018887,14258175428082381418,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4572 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4772,i,11588121819490018887,14258175428082381418,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4788 /prefetch:8

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc

C:\Windows\SYSTEM32\cmd.exe

"cmd" /c ping 127.0.0.1 -n 9 > nul && REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "neon" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\neon.exe"

C:\Windows\system32\PING.EXE

ping 127.0.0.1 -n 9

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"

C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe

C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

C:\Windows\system32\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "neon" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\neon.exe"

C:\Users\Admin\AppData\Local\Temp\neon.exe

"C:\Users\Admin\AppData\Local\Temp\neon.exe"

C:\Users\Admin\AppData\Local\Temp\neon.exe

"C:\Users\Admin\AppData\Local\Temp\neon.exe"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe

C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff9c6efcc40,0x7ff9c6efcc4c,0x7ff9c6efcc58

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2344,i,16398006863227163237,14666032427564956807,262144 --variations-seed-version=20240926-180503.836000 --mojo-platform-channel-handle=2336 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1836,i,16398006863227163237,14666032427564956807,262144 --variations-seed-version=20240926-180503.836000 --mojo-platform-channel-handle=2440 /prefetch:3

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=1992,i,16398006863227163237,14666032427564956807,262144 --variations-seed-version=20240926-180503.836000 --mojo-platform-channel-handle=2572 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3156,i,16398006863227163237,14666032427564956807,262144 --variations-seed-version=20240926-180503.836000 --mojo-platform-channel-handle=3164 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3168,i,16398006863227163237,14666032427564956807,262144 --variations-seed-version=20240926-180503.836000 --mojo-platform-channel-handle=3204 /prefetch:1

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4624,i,16398006863227163237,14666032427564956807,262144 --variations-seed-version=20240926-180503.836000 --mojo-platform-channel-handle=4640 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4844,i,16398006863227163237,14666032427564956807,262144 --variations-seed-version=20240926-180503.836000 --mojo-platform-channel-handle=4776 /prefetch:8

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 185.215.113.16:80 185.215.113.16 tcp
RU 185.215.113.117:80 185.215.113.117 tcp
US 8.8.8.8:53 16.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 117.113.215.185.in-addr.arpa udp
NL 194.116.215.195:80 194.116.215.195 tcp
US 8.8.8.8:53 195.215.116.194.in-addr.arpa udp
RU 185.215.113.26:80 185.215.113.26 tcp
US 8.8.8.8:53 26.113.215.185.in-addr.arpa udp
DE 95.179.250.45:26212 tcp
RU 185.215.113.26:80 185.215.113.26 tcp
RU 176.113.115.95:80 176.113.115.95 tcp
RU 185.215.113.17:80 185.215.113.17 tcp
FI 65.21.18.51:45580 tcp
US 8.8.8.8:53 95.115.113.176.in-addr.arpa udp
US 8.8.8.8:53 17.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 51.18.21.65.in-addr.arpa udp
FI 95.216.143.20:12695 tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 lootebarrkeyn.shop udp
US 8.8.8.8:53 gutterydhowi.shop udp
US 104.21.4.136:443 gutterydhowi.shop tcp
US 8.8.8.8:53 ghostreedmnu.shop udp
US 104.21.79.51:443 ghostreedmnu.shop tcp
US 8.8.8.8:53 20.143.216.95.in-addr.arpa udp
US 8.8.8.8:53 136.4.21.104.in-addr.arpa udp
US 8.8.8.8:53 offensivedzvju.shop udp
US 104.21.13.39:443 offensivedzvju.shop tcp
US 8.8.8.8:53 vozmeatillu.shop udp
US 172.67.203.144:443 vozmeatillu.shop tcp
US 8.8.8.8:53 51.79.21.104.in-addr.arpa udp
US 8.8.8.8:53 39.13.21.104.in-addr.arpa udp
US 8.8.8.8:53 144.203.67.172.in-addr.arpa udp
NL 89.105.223.196:29862 tcp
US 8.8.8.8:53 drawzhotdog.shop udp
US 172.67.162.108:443 drawzhotdog.shop tcp
US 8.8.8.8:53 fragnantbui.shop udp
US 104.21.21.20:443 fragnantbui.shop tcp
US 8.8.8.8:53 108.162.67.172.in-addr.arpa udp
US 8.8.8.8:53 20.21.21.104.in-addr.arpa udp
US 8.8.8.8:53 stogeneratmns.shop udp
US 172.67.159.1:443 stogeneratmns.shop tcp
RU 185.215.113.67:15206 tcp
US 8.8.8.8:53 1.159.67.172.in-addr.arpa udp
US 8.8.8.8:53 67.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 reinforcenh.shop udp
US 8.8.8.8:53 google.com udp
US 172.67.208.139:443 reinforcenh.shop tcp
US 8.8.8.8:53 139.208.67.172.in-addr.arpa udp
US 8.8.8.8:53 steamcommunity.com udp
GB 23.214.143.155:443 steamcommunity.com tcp
US 8.8.8.8:53 racedsuitreow.shop udp
RU 185.215.113.103:80 185.215.113.103 tcp
US 8.8.8.8:53 ballotnwu.site udp
TM 91.202.233.158:80 91.202.233.158 tcp
US 8.8.8.8:53 defenddsouneuw.shop udp
US 104.21.2.13:443 ballotnwu.site tcp
US 104.21.26.56:443 defenddsouneuw.shop tcp
US 8.8.8.8:53 103.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 13.2.21.104.in-addr.arpa udp
US 8.8.8.8:53 158.233.202.91.in-addr.arpa udp
US 8.8.8.8:53 56.26.21.104.in-addr.arpa udp
RU 185.215.113.37:80 185.215.113.37 tcp
US 172.67.162.108:443 drawzhotdog.shop tcp
US 8.8.8.8:53 37.113.215.185.in-addr.arpa udp
US 104.21.4.136:443 gutterydhowi.shop tcp
US 104.21.79.51:443 ghostreedmnu.shop tcp
US 104.21.13.39:443 offensivedzvju.shop tcp
US 172.67.203.144:443 vozmeatillu.shop tcp
US 104.21.21.20:443 fragnantbui.shop tcp
US 172.67.159.1:443 stogeneratmns.shop tcp
US 172.67.208.139:443 reinforcenh.shop tcp
GB 23.214.143.155:443 steamcommunity.com tcp
RU 185.215.113.43:80 185.215.113.43 tcp
US 104.21.2.13:443 ballotnwu.site tcp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 43.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 73.190.18.2.in-addr.arpa udp
RU 185.215.113.103:80 185.215.113.103 tcp
DE 95.179.250.45:26212 tcp
RU 185.215.113.37:80 185.215.113.37 tcp
RU 185.215.113.37:80 185.215.113.37 tcp
US 8.8.8.8:53 youtube.com udp
GB 142.250.179.238:443 youtube.com tcp
US 8.8.8.8:53 www.youtube.com udp
US 8.8.8.8:53 consent.youtube.com udp
GB 142.250.187.238:443 consent.youtube.com tcp
RU 185.215.113.16:80 185.215.113.16 tcp
US 8.8.8.8:53 195.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 42.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 238.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 238.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 227.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 10.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.179.228:443 www.google.com tcp
NL 188.190.10.161:4444 tcp
US 8.8.8.8:53 228.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 161.10.190.188.in-addr.arpa udp
US 8.8.8.8:53 clients2.google.com udp
GB 142.250.178.14:443 clients2.google.com tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 14.178.250.142.in-addr.arpa udp
GB 142.250.187.238:443 consent.youtube.com udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
DE 95.179.250.45:26212 tcp
US 8.8.8.8:53 play.google.com udp
GB 172.217.16.238:443 play.google.com tcp
US 8.8.8.8:53 238.16.217.172.in-addr.arpa udp
GB 142.250.187.238:443 consent.youtube.com udp
DE 95.179.250.45:26212 tcp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 beacons.gcp.gvt2.com udp
GB 216.58.213.3:443 beacons.gcp.gvt2.com tcp
GB 216.58.213.3:443 beacons.gcp.gvt2.com tcp
US 8.8.8.8:53 3.213.58.216.in-addr.arpa udp
DE 95.179.250.45:26212 tcp
HK 47.238.55.14:4444 tcp
US 8.8.8.8:53 14.55.238.47.in-addr.arpa udp
HK 47.238.55.14:4444 tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
GB 142.250.179.238:443 www.youtube.com tcp
US 8.8.8.8:53 www.youtube.com udp
GB 172.217.16.238:443 www.youtube.com udp
GB 142.250.187.238:443 www.youtube.com udp
GB 142.250.187.238:443 www.youtube.com tcp
LT 91.211.247.248:53 bedufwi.com udp
US 185.208.158.248:80 bedufwi.com tcp
US 8.8.8.8:53 248.247.211.91.in-addr.arpa udp
US 8.8.8.8:53 248.158.208.185.in-addr.arpa udp
GB 142.250.178.14:443 www.youtube.com udp
DE 95.179.250.45:26212 tcp

Files

memory/3920-0-0x0000000000880000-0x0000000000D20000-memory.dmp

memory/3920-1-0x0000000077D54000-0x0000000077D56000-memory.dmp

memory/3920-2-0x0000000000881000-0x00000000008AF000-memory.dmp

memory/3920-3-0x0000000000880000-0x0000000000D20000-memory.dmp

memory/3920-4-0x0000000000880000-0x0000000000D20000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

MD5 2dbfc6089fd5e3b1aa8a004508a16a37
SHA1 20331e184251ff628c6e3593511fc6ab93349058
SHA256 99bc61afdb7382ac8d7f9da3bb87ca552fe8596ded65bf39a81d2f7839bbc3d6
SHA512 03f5390778ce28d28d6e4c60af50f0ee32f1e4adf1b0ea1958bd9897db919f63817f1a0df8b4b4ae03ac90d4e797a2a1db380f9fce9d6ef33575101c4a640629

memory/6136-16-0x0000000000480000-0x0000000000920000-memory.dmp

memory/3920-18-0x0000000000880000-0x0000000000D20000-memory.dmp

memory/6136-19-0x0000000000480000-0x0000000000920000-memory.dmp

memory/6136-20-0x0000000000480000-0x0000000000920000-memory.dmp

memory/6136-21-0x0000000000480000-0x0000000000920000-memory.dmp

memory/6136-22-0x0000000000480000-0x0000000000920000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe

MD5 389881b424cf4d7ec66de13f01c7232a
SHA1 d3bc5a793c1b8910e1ecc762b69b3866e4c5ba78
SHA256 9d1211b3869ca43840b7da1677b257ad37521aab47719c6fcfe343121760b746
SHA512 2b9517d5d9d972e8754a08863a29e3d3e3cfde58e20d433c85546c2298aad50ac8b069cafd5abb3c86e24263d662c6e1ea23c0745a2668dfd215ddbdfbd1ab96

memory/5948-41-0x000000007396E000-0x000000007396F000-memory.dmp

memory/5948-42-0x0000000000370000-0x00000000003C4000-memory.dmp

memory/1540-45-0x0000000000400000-0x0000000000452000-memory.dmp

memory/1540-48-0x0000000005520000-0x0000000005AC4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000004001\12dsvc.exe

MD5 84263ab03b0a0f2b51cc11b93ec49c9f
SHA1 e6457eb0e0131bec70a2fd4d4a943314f0bd28d4
SHA256 7d6e4e01c452dd502361640ee095e2bee35e3f55fd11edc9e94c3580d2c132b5
SHA512 db35a02345b5166077e300524675c523a8b4082fa62fc151c0797141348cae5e173eeaec5ad1e95556e048ea6ed34a78b90b1184420557c53cd91f351417ebb2

memory/1540-57-0x0000000004F70000-0x0000000005002000-memory.dmp

memory/5436-68-0x00000000006B0000-0x0000000000792000-memory.dmp

memory/1540-69-0x0000000004F20000-0x0000000004F2A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Tmp9584.tmp

MD5 1420d30f964eac2c85b2ccfe968eebce
SHA1 bdf9a6876578a3e38079c4f8cf5d6c79687ad750
SHA256 f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9
SHA512 6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

memory/1540-86-0x0000000005DD0000-0x0000000005E46000-memory.dmp

memory/1540-87-0x0000000006460000-0x000000000647E000-memory.dmp

memory/1540-90-0x0000000006DF0000-0x0000000007408000-memory.dmp

memory/1540-91-0x0000000008670000-0x000000000877A000-memory.dmp

memory/1540-92-0x0000000006CF0000-0x0000000006D02000-memory.dmp

memory/1540-93-0x0000000006D50000-0x0000000006D8C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe

MD5 f5d7b79ee6b6da6b50e536030bcc3b59
SHA1 751b555a8eede96d55395290f60adc43b28ba5e2
SHA256 2f1aff28961ba0ce85ea0e35b8936bc387f84f459a4a1d63d964ce79e34b8459
SHA512 532b17cd2a6ac5172b1ddba1e63edd51ab53a4527204415241e3a78e8ffeb9728071bde5ae1eefabefd2627f00963f8a5458668cd7b8df041c8683252ff56b46

memory/1540-102-0x0000000006D90000-0x0000000006DDC000-memory.dmp

memory/4748-116-0x0000000000400000-0x00000000004DE000-memory.dmp

memory/4748-115-0x0000000000400000-0x00000000004DE000-memory.dmp

memory/4748-113-0x0000000000400000-0x00000000004DE000-memory.dmp

memory/4748-111-0x0000000000400000-0x00000000004DE000-memory.dmp

C:\Users\Admin\AppData\Roaming\tpK5jyT5Rd.exe

MD5 a3ef9920a91b891837705e46bb26de17
SHA1 9cfbcd0f46ec86fb57d3d6d74a064f9098adf117
SHA256 171cef885f6c285e995ce3ec5960c5ea4e4ed049cec362745058fee39e4136cc
SHA512 c65e91091b95c3aba0af7df4ed6543d26bcb5b54d6fab82f9d2ac1ba156f475f98124a1a0e8851d69be23b1dc945c76c075cd32515203273260802e1224dbd6e

C:\Users\Admin\AppData\Roaming\CFvbTXbM2h.exe

MD5 4e60f3fd76d9eab244f9dc00f7765b0b
SHA1 1a154d6e837e7105c551793131cde89f157c4330
SHA256 d6945846cc23c01b9c9ad2b97d35b5a14c01f1a4cc2ec651a596f06777ba4fec
SHA512 44727e25781f448579ac35aab94aff550ed9fe5ac58d95bd394569c62892dc78216ac687baa43cef66187ebe629f5dd9cd63ea274222d11dbef3440ec4d7f77a

memory/4748-137-0x0000000000400000-0x00000000004DE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe

MD5 7a02aa17200aeac25a375f290a4b4c95
SHA1 7cc94ca64268a9a9451fb6b682be42374afc22fd
SHA256 836799fd760eba25e15a55c75c50b977945c557065a708317e00f2c8f965339e
SHA512 f6ebfe7e087aa354722cea3fddd99b1883a862fb92bb5a5a86782ea846a1bff022ab7db4397930bcabaa05cb3d817de3a89331d41a565bc1da737f2c5e3720b6

memory/5572-146-0x0000000000C90000-0x0000000000CE2000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2170637797-568393320-3232933035-1000\76b53b3ec448f7ccdda2063b15d2bfc3_76278eb0-9988-43b4-9423-af5897ebbcb4

MD5 96ea29aa27eeae734b98d73752aa0c27
SHA1 20a0e0760ed66758285d87e71d00e2630f41bb42
SHA256 9a99e9e4e40bac7212cc350a3d480c94864336e052074f5e02f8b303b8b7f79b
SHA512 4350e82b83682e702cb798804664bb83b4bfbd008f0f99c6883899319633f75a9ac4883940813a4681c4bad0a0a504d489821d0b3f5e13240db872c5ad5a046d

memory/3052-181-0x0000000000110000-0x0000000000353000-memory.dmp

C:\Users\Admin\Desktop\Microsoft Edge.lnk

MD5 c8a10028bbb73446ea5615382727894e
SHA1 7d00da95caecfd25c823bee36b22c1a1dcbe2d75
SHA256 e8d228573eb38777a6b1a7ba346668194af007bc162a31033d9503b5d6e5fca8
SHA512 fc16296673a4ca01558fdc9e0a13b03056aeaf1c45667539d4d7176cac71f12d55e0c461417ee61135273e34c21f7704a5ef836fd64e379673c084d5ff6bf84e

C:\Users\Public\Desktop\Google Chrome.lnk

MD5 aac5f4ec2d1c4c6de526c560be1321a7
SHA1 ad0bf4e7a78040add16b8c5b0c7c1c8e379eef92
SHA256 8cc07a2f0d7d04b149bcd0a6a54823428e267a69816e07dc4173567c847f7f07
SHA512 1e99f45d1884c97776d3e038fb509e3f48fa8fd89df4dd2709f1daa0af97e5afefc216a64f820a6ed753cf203fbe9a90aee09943dc782556db13b4d8bf21fa2b

memory/6136-186-0x0000000000480000-0x0000000000920000-memory.dmp

memory/3052-187-0x0000000061E00000-0x0000000061EF3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000065001\stories.exe

MD5 44d2f50470151f8d8b2d9c3e3c5f7681
SHA1 391405dd4e12bfa4120beb333bb9bf96ba57d24c
SHA256 0df73688dc7f5f8a9734d4459a723619046a07f537bc9a50be18ac28dc69e93f
SHA512 1bcc2727b9ee91e28a8d2912114220748d1657eede652552b795d5ca20e217873e6e043acccb96bcfd0d762c35de94e3f82e5cfd074fc4dbafcecf18720b16fb

memory/2568-227-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000191001\needmoney.exe

MD5 7fa5c660d124162c405984d14042506f
SHA1 69f0dff06ff1911b97a2a0aa4ca9046b722c6b2f
SHA256 fd3edfaff77dd969e3e0d086495e4c742d00e111df9f935ed61dfba8392584b2
SHA512 d50848adbfe75f509414acc97096dad191ae4cef54752bdddcb227ffc0f59bfd2770561e7b3c2a14f4a1423215f05847206ad5c242c7fd5b0655edf513b22f6c

C:\Users\Admin\AppData\Local\Temp\is-TMB2Q.tmp\stories.tmp

MD5 216d86f9c051d79f5b959f3513057472
SHA1 e924fb25543fe8826bb3af4158e3dafe57798e0c
SHA256 b997f60bd623876aaff1be08d562277d6c12c9988979b1bfb1fab5e1417a74af
SHA512 9638df5d6b791f1dc856c86916a3039826d9031a67bb4e0ae2fcee1edcba8fa091258aa6bd63df232f3c771c6341f1b022bd72e89cbfda1c690afa190f922795

C:\Users\Admin\AppData\Local\Temp\is-I5C81.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

C:\Users\Admin\AppData\Local\Temp\is-I5C81.tmp\_isetup\_isdecmp.dll

MD5 a813d18268affd4763dde940246dc7e5
SHA1 c7366e1fd925c17cc6068001bd38eaef5b42852f
SHA256 e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64
SHA512 b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

memory/6136-272-0x0000000000480000-0x0000000000920000-memory.dmp

memory/6136-271-0x0000000000480000-0x0000000000920000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

C:\Users\Admin\AppData\Local\Temp\1000254001\penis.exe

MD5 a21700718c70ec5e787ad373cb72a757
SHA1 027554ab5ff3245e7617f3b83d6548bf7919f92e
SHA256 87e639ecc7704cb5e29f1ebb1d8ade3ae863aaa2505a37b28f2d45121da500c6
SHA512 ea292a5442d9fe536e650a2bc5142dd3aef79c66930243897e0e87c57915f0a54e45e03e58daffb473f85fe10b963d4670050bff5ab3f91121d21d463e25659b

C:\Users\Admin\AppData\Local\Fido Video Recorder\gerdaplay3se.exe

MD5 b71921f2232bdf0efb1408be8655922d
SHA1 a9f94ff9ce207cf80a2c10abd60e4d30d1bfa37e
SHA256 457554183ac05321fce7b46d4ad93f2b6324f3ea5de30b6d8ee4a591bf07b1fc
SHA512 279388939a3a8d707d3417f34de223d1a2dd553755a08588406b0ea07ea1fd7609f8473e81ae25cf2d17aca66da2e2288492282e92329a88fb526e2c3d760c37

memory/5896-325-0x0000000000400000-0x0000000000720000-memory.dmp

memory/5896-326-0x0000000000400000-0x0000000000720000-memory.dmp

memory/4872-330-0x0000000000F10000-0x0000000000F7C000-memory.dmp

memory/5572-334-0x0000000007010000-0x0000000007076000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000290001\crypted.exe

MD5 ff5afed0a8b802d74af1c1422c720446
SHA1 7135acfa641a873cb0c4c37afc49266bfeec91d8
SHA256 17ac37b4946539fa7fa68b12bd80946d340497a7971802b5848830ad99ea1e10
SHA512 11724d26e11b3146e0fc947c06c59c004c015de0afea24ec28a4eb8145fcd51e9b70007e17621c83f406d9aeb7cd96601245671d41c3fcc88a27c33bd7cf55ac

C:\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

memory/3020-374-0x0000000000D70000-0x0000000000DC4000-memory.dmp

memory/5572-380-0x0000000007F60000-0x0000000008122000-memory.dmp

memory/5572-381-0x0000000008660000-0x0000000008B8C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\svchost015.exe

MD5 b826dd92d78ea2526e465a34324ebeea
SHA1 bf8a0093acfd2eb93c102e1a5745fb080575372e
SHA256 7824b50acdd144764dac7445a4067b35cf0fef619e451045ab6c1f54f5653a5b
SHA512 1ac4b731b9b31cabf3b1c43aee37206aee5326c8e786abe2ab38e031633b778f97f2d6545cf745c3066f3bd47b7aaf2ded2f9955475428100eaf271dd9aeef17

memory/1968-387-0x0000000000400000-0x0000000000643000-memory.dmp

memory/1968-388-0x0000000000400000-0x0000000000643000-memory.dmp

memory/3920-391-0x0000000000400000-0x000000000081B000-memory.dmp

memory/1968-384-0x0000000000400000-0x0000000000643000-memory.dmp

memory/820-393-0x0000000000400000-0x0000000000452000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000314001\LummaC222222.exe

MD5 2f1d09f64218fffe7243a8b44345b27e
SHA1 72553e1b3a759c17f54e7b568f39b3f8f1b1cdbe
SHA256 4a553c39728410eb0ebd5e530fc47ef1bdf4b11848a69889e8301974fc26cde2
SHA512 5871e2925ca8375f3c3ce368c05eb67796e1fbec80649d3cc9c39b57ee33f46476d38d3ea8335e2f5518c79f27411a568209f9f6ef38a56650c7436bbaa3f909

memory/5572-426-0x0000000008230000-0x0000000008280000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000322001\newbundle2.exe

MD5 58e8b2eb19704c5a59350d4ff92e5ab6
SHA1 171fc96dda05e7d275ec42840746258217d9caf0
SHA256 07d4b7768e13d79ac5f05f81167b29bb6fbf97828a289d8d11eec38939846834
SHA512 e7655762c5f2d10ec246d11f82d437a2717ad05be847b5e0fd055e3241caaca85430f424055b343e3a44c90d76a0ba07a6913c2208f374f59b61f8aa4477889f

memory/1688-449-0x00000000005E0000-0x0000000000632000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000342001\rstxdhuj.exe

MD5 1ef39c8bc5799aa381fe093a1f2d532a
SHA1 57eabb02a7c43c9682988227dd470734cc75edb2
SHA256 0cced5b50789fca3ad4b2c151b798363d712da04c377bd704dcef4898e66b2b4
SHA512 13a9c267c4ceb2bd176f1339faa035ffeb08936deeeb4e38252ea43cfe487ea1c1876e4cc2a965548e767af02805a1da62885e6538da056be0c6fae33b637682

memory/3052-488-0x0000000000110000-0x0000000000353000-memory.dmp

memory/5012-489-0x0000000000360000-0x0000000000458000-memory.dmp

memory/5012-490-0x0000000005100000-0x00000000051EE000-memory.dmp

memory/2568-491-0x0000000000400000-0x0000000000414000-memory.dmp

memory/5012-509-0x0000000005100000-0x00000000051E8000-memory.dmp

memory/5012-525-0x0000000005100000-0x00000000051E8000-memory.dmp

memory/5012-523-0x0000000005100000-0x00000000051E8000-memory.dmp

memory/5012-521-0x0000000005100000-0x00000000051E8000-memory.dmp

memory/5012-519-0x0000000005100000-0x00000000051E8000-memory.dmp

memory/5012-517-0x0000000005100000-0x00000000051E8000-memory.dmp

memory/5012-515-0x0000000005100000-0x00000000051E8000-memory.dmp

memory/5012-513-0x0000000005100000-0x00000000051E8000-memory.dmp

memory/5012-511-0x0000000005100000-0x00000000051E8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000349001\cccc2.exe

MD5 6b470f7251aa9c14d7daea8f6446e217
SHA1 a256c54d4dd7e0a7a1582d8fdfef5807bc3c4af4
SHA256 8b9097b795d42c49c3b2c560714226361671a3f1d711faa9aeaee20e22e7095f
SHA512 fdc553c9d2ff19343dd99b0b34c875752df4fa0cbd494096aeb51d859bd102448f1a5043a53a808045ae52077f180546a134b1aa69db4dc04aff2610fadeaca4

memory/5012-507-0x0000000005100000-0x00000000051E8000-memory.dmp

memory/5012-506-0x0000000005100000-0x00000000051E8000-memory.dmp

memory/5012-503-0x0000000005100000-0x00000000051E8000-memory.dmp

memory/5012-501-0x0000000005100000-0x00000000051E8000-memory.dmp

memory/5012-499-0x0000000005100000-0x00000000051E8000-memory.dmp

memory/5012-495-0x0000000005100000-0x00000000051E8000-memory.dmp

memory/5012-493-0x0000000005100000-0x00000000051E8000-memory.dmp

memory/5012-492-0x0000000005100000-0x00000000051E8000-memory.dmp

memory/5012-497-0x0000000005100000-0x00000000051E8000-memory.dmp

memory/5012-1587-0x0000000005910000-0x0000000005978000-memory.dmp

memory/6756-1590-0x0000000000820000-0x0000000000880000-memory.dmp

memory/5012-1588-0x0000000005660000-0x00000000056AC000-memory.dmp

memory/5012-1596-0x0000000005980000-0x00000000059D4000-memory.dmp

memory/6896-1599-0x0000000000630000-0x000000000065E000-memory.dmp

memory/6896-1600-0x0000000004B40000-0x0000000004BDC000-memory.dmp

memory/1968-1603-0x0000000000400000-0x0000000000643000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000354001\f160aea806.exe

MD5 2ff9d81435c7d755cb5a6b975ed50ce6
SHA1 a588fbde21ac7335c3b516db6ccaa783eb2a088c
SHA256 162e527a19799d2d3ace95ca315eba1ffa0fd4fd3eac247a26b41212033b2863
SHA512 46688a8fb90c3b3bcb926e6b37129ebd45297283150e61450b685f792d20f7d5d2d88ea2487f73dd76d6e20b513f43ba143ff9d321b47f4f4563287e02a9e235

memory/7120-1619-0x0000000000C90000-0x0000000001339000-memory.dmp

memory/7120-1629-0x0000000000C90000-0x0000000001339000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000355001\ecad5f0362.exe

MD5 0b827d78c350317ad56fd6766cad6d6b
SHA1 945e3976cf4ea5c49be33b937b99db681c8c6ea3
SHA256 5376f10da390a072fa7e46618705e38c8e4854a7d6cf89d82e5df409a22c033b
SHA512 56f6c01386a83affd9944885091b088f83f122a0fe12683e3638b4cdfb5e4d2029703206ae1c8425283a8b6c30ea1ac5e526c9f3fb0a885e093be8feff592bc6

memory/4316-1645-0x0000000000130000-0x00000000005ED000-memory.dmp

memory/4756-1647-0x0000000002830000-0x0000000002866000-memory.dmp

memory/4756-1648-0x0000000005410000-0x0000000005A38000-memory.dmp

memory/4756-1649-0x0000000005380000-0x00000000053A2000-memory.dmp

memory/4756-1650-0x0000000005AB0000-0x0000000005B16000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ja3k52m3.fnh.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4756-1667-0x0000000005B90000-0x0000000005EE4000-memory.dmp

memory/6160-1671-0x00000000001B0000-0x000000000066D000-memory.dmp

memory/4316-1673-0x0000000000130000-0x00000000005ED000-memory.dmp

memory/4756-1674-0x0000000006150000-0x000000000616E000-memory.dmp

memory/4756-1676-0x00000000070D0000-0x0000000007102000-memory.dmp

memory/4756-1677-0x000000006D020000-0x000000006D06C000-memory.dmp

memory/4756-1687-0x0000000007310000-0x000000000732E000-memory.dmp

memory/4756-1688-0x0000000007340000-0x00000000073E3000-memory.dmp

memory/4756-1689-0x0000000007AC0000-0x000000000813A000-memory.dmp

memory/4756-1690-0x0000000007480000-0x000000000749A000-memory.dmp

memory/4756-1691-0x00000000074F0000-0x00000000074FA000-memory.dmp

memory/4756-1693-0x0000000007700000-0x0000000007796000-memory.dmp

memory/4756-1694-0x0000000007680000-0x0000000007691000-memory.dmp

memory/4756-1695-0x00000000076B0000-0x00000000076BE000-memory.dmp

memory/4756-1696-0x00000000076C0000-0x00000000076D4000-memory.dmp

memory/4756-1697-0x00000000077C0000-0x00000000077DA000-memory.dmp

memory/4756-1698-0x00000000077A0000-0x00000000077A8000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

memory/2740-1705-0x0000000006170000-0x00000000064C4000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 ebc7ded63e5de0a93f33b0343741a584
SHA1 d5dcd61b3ffca4c5dd45e881f12664f6af718a73
SHA256 e4ee920e7c2de6df679903c43a400c0bdf9ea2f7dd18d40c1fc0ec6c18b2b95c
SHA512 0b44b14029493a247c75542431dd338931c27d37defb28ee499d2d3760e7f0c91d087f0db6ab7781c694f464b9b695a186e664a4eabf06d2f07c1b82acfc7ca1

memory/2740-1716-0x000000006D020000-0x000000006D06C000-memory.dmp

memory/2740-1726-0x00000000077F0000-0x0000000007893000-memory.dmp

memory/2740-1728-0x0000000007D60000-0x0000000007D71000-memory.dmp

memory/1892-1745-0x0000000000A10000-0x00000000010B9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000356001\neon.exe

MD5 b3fd0e1003b1cd38402b6d32829f6135
SHA1 c9cedd6322fb83457f56b64b4624b07e2786f702
SHA256 e4a36be98f730d706d2ca97a5d687329a1cc7d4848daf698b7e21b6b9b577f31
SHA512 04692e0f80a75f78b533677cefe3db6607108abf19963d88e231925cfa13f1ec054811aebe53c82d238e732a999cd8d176107d50cf2ea5694d4177cbfd3b30f1

memory/2740-1743-0x0000000007DA0000-0x0000000007DB4000-memory.dmp

memory/6204-1765-0x0000000000510000-0x000000000088C000-memory.dmp

memory/6204-1766-0x0000000023FB0000-0x000000002404E000-memory.dmp

memory/1892-1768-0x0000000000A10000-0x00000000010B9000-memory.dmp

memory/2792-1782-0x0000000000220000-0x00000000008C9000-memory.dmp

memory/2792-1785-0x0000000000220000-0x00000000008C9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000028001\b034620509.exe

MD5 cda0b8ef0af532cf29045c06142ce1f8
SHA1 39b7bd4dadc3172152d727dd9633916ae1a8fd7d
SHA256 3129cc8fa8430ac67ed710a05d4227d636612387b02125b8006117c40c79e5b6
SHA512 40f6209a1b41e952eb5b96cadcfa87bdc5a9ceaf7f1f438beff20378d620eada3031485b179ef58920d23d6563324269206a2243d0cfb3ad58811827d39071f2

memory/6160-1795-0x00000000001B0000-0x000000000066D000-memory.dmp

memory/4808-1860-0x0000000000CB0000-0x0000000001150000-memory.dmp

memory/4808-1862-0x0000000000CB0000-0x0000000001150000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

MD5 193c0deba43d7778606503df5e6590a1
SHA1 adb8f92d4dcbf83f7d5f07219f8c99a329dbccf8
SHA256 6b5158102f226f10543d95774eae68a95c94186975b6b74e0afe1f4c49a65d8f
SHA512 83fae181f79d2b75cc9b666739c2fc07bb241a6386c8943498d463a9fa99c09c79ec330fdb39ca23ac21de93c73347020ad5d81bcf7809a3a159952b21cb8581

memory/6204-1916-0x00000000263C0000-0x00000000263DA000-memory.dmp

memory/6204-1917-0x00000000263E0000-0x00000000263E6000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 f7569326df29c17e153bb3bd4f00e8da
SHA1 ec7e77482b8ad5ae96c83667c6871d733781df92
SHA256 66371f38f3e006955948ea9dc7f3e76c764581310205ddc9270a5688251b2776
SHA512 65121c2bfc9d04ecc7a8a479592453801f9cb9e0af45c7ea67678fa182667167c6e5466d081a084f7918fe71e1460d2570a7d69d3ccadd1126190519250481c0

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 c2d8c505662bc72aa4631743b57814d6
SHA1 36e7ad151b9f85564ec23d5c1af5d5dc258aee2f
SHA256 2a5b3d741e8ddafc156385be3c871f7c11fa818fa4b0a1bfd507b9314c4cc3a2
SHA512 5baf09c09dde02959f0c74a17ca0f9db51fe7d7e9e37ab92955f7ce8a2e0a20d3cd2a56b6a71aed807d9b5ed0ce6e0646518f9e222806e4c5fca27a72beafaa5

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 455125f49358f4f7af775e6bbc346024
SHA1 60a9992476d6c0939c6d2623bf90f9c9c5a86a89
SHA256 15f9dd9efd7a489f0ca1d86e8fdee424f2ad1cbc300b88d8a52648795c49cedb
SHA512 47281a0c9cc9a70a1066451f740c40a5a17b2fd3db01a3fad5ead11d9cf5f1f2942d8f489f0e98843f155f299c3b77d409bbee20393fd9b8aef2fe6f059f9565

memory/2484-1935-0x00000000001B0000-0x000000000066D000-memory.dmp

memory/4940-1936-0x0000000000480000-0x0000000000920000-memory.dmp

memory/4940-1938-0x0000000000480000-0x0000000000920000-memory.dmp

memory/2484-1940-0x00000000001B0000-0x000000000066D000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

MD5 7d5eec640a2436510b720931d396c6a3
SHA1 cf9eabcf316c81991240ac37da7d76c7a5664819
SHA256 5ffed94a8149dcfaef9d9906172511936dca8a05afe6cb8d22f86cd460b0f099
SHA512 030d1dcf88d5c8bb3542f8a29bc091c81f27bc45b2b64a2125dc30d49f194d041d07dfdea2b0719ef39c7c9dad434f4ec63a69abbe7553e921496efc5d4e6065

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 0caacca544ce1133cb13e899cac6b1bd
SHA1 2e92f3049d543bd8265a11d68b77fd568cda9f33
SHA256 2a7f43c6829aed9393f8b249a16b669ae47de5b740e6a46f14c8fdd5be48676c
SHA512 d4e2d74f201637995e6937422cdc6ea647187f9e0e9b7420eee1629c3cbc32a91700c97719d70b779192695ba921a68985396a90c38756c3829e60b40337e3f8

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 8fe26aef6d212a13ae59cad9da9dc5c1
SHA1 d5d9bac31a169c3c1597a0346d4dd3f9d0e95d71
SHA256 387342bc21b7340600b519590a4e99db4aad5c4a88f1b7212696d97d89c98043
SHA512 7e9e5724515d63d0859d937d91160bad54e9d6e7bcbda1c32b137ed6ea8f268ebd0eabfba638e3c62b8596cee65405ae1c01c818f11e08c93babce014be2c08f

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 5770e865cb4afe9c1a0cbf0f3d18541e
SHA1 9b576388100aef292a8aeb85e00d55be445368e0
SHA256 5a12d6750b6832a4f4f68ed5e3c309caedabd8713f9e54a323fa9736b1010795
SHA512 01a0d8a02e755b9b9f571ab5f16174ce587f42680eeb770b875715f88d7ccabc52b6ff9821a05edf6e5961bb5075a36bf0c7732def0371195abb05a4669a7ced

C:\Users\Admin\AppData\Local\Temp\neon.exe

MD5 0e362e7005823d0bec3719b902ed6d62
SHA1 590d860b909804349e0cdc2f1662b37bd62f7463
SHA256 2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad
SHA512 518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

memory/1932-2138-0x0000000000A80000-0x0000000000A9A000-memory.dmp

memory/5896-2209-0x0000000000400000-0x0000000000720000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 22b643ff182c8ddda45ab0aa55977dca
SHA1 a0889a7c9323b65d890a58d4859fd93d5e8e23b1
SHA256 f55c0231c96242db1a78eccf64f317d91df9f3a0105fdd380d46147e32496d42
SHA512 8e66bf53f62c1376f1b77b6f46e52b4ed30b34519ee35a77382625fc3e69d3f33e7ef53981d10ea3ddc84026fa05986d7df7cea530977223a809524adc7154e3

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 f479a547fc9e48b23a421e7a6f0703b6
SHA1 493915628353895d7a1ea2f5765cb83f69db66d5
SHA256 ec8957c9312fe24d70de85359ef7739c9ac33877f3bb2561f56230a019d78542
SHA512 fb16198976122f9ffe92742a4e83eb8bfae8fab8d6b867f4a8084158d508e477627c5780a2e5633f14971ea9edb5a9c6d3c399651afa53019fbfe4a07d1efbda

memory/3232-2370-0x0000000000480000-0x0000000000920000-memory.dmp

memory/6512-2372-0x00000000001B0000-0x000000000066D000-memory.dmp

memory/5604-2443-0x0000000040000000-0x0000000040030000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 bea1a702f213795e8b2caf6534e6a7c6
SHA1 38a5a7aaa50783364bcf45836cd2a89e22171f1f
SHA256 ca5947fd3a16fe3470dbdabf1302f88e06bd2ba3802afc83a4e27ec83f696b76
SHA512 33a17b1dbaba838632517b705dd4a426c6658cc200c107d081feb66869531e07d0c73938fc9e57f86f49225302f1cb4dd5ad8801080354b4f4482d4fd77a1b86

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

MD5 4fd2e1e0ee89ab2efcf64b13813dfb57
SHA1 f1469469ac1884f002fbe3cba1d8be88cfdf39af
SHA256 b94064c9e6abef05638da45947d0760325acfec963626406aa73bdeb3f3e77a6
SHA512 f28e540f5e356191f33a7e5cb091d9e6fcafac73a94e87d6b96823ff9cd8d914ed319cb3ad1ea76a5e788b7637826b6b5fa6b3a6c96f24353c0c44f9ce0b00cc

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\47626f9b-05f1-4c0b-abcf-c8d0da6340a3.tmp

MD5 ab1632680f4d6b9237e292eb566dd0c1
SHA1 ccc94fdb89e7d625bbdbfb8ad99d3f39dcb6c923
SHA256 6666beb79fc7eca6f6365707b940538ed4af9eea0370f3934adade3ca4e4f788
SHA512 1db702e579e1e0112f1e4b6d0a793446c08d387c097d3bfdc9453874996b9ed0613f45d86a5246c425cb995137ef68d492bb0d5c9bce4311cb5ad786351a9312

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 a628839beec3e932e183cdd26d62f8a6
SHA1 35c3786429ecb292d156702140ec66addb6387dd
SHA256 4df22bdbbe8dcf70f8e3698b4afbb16a10e145eb41f2da6f215165a43ae0d1ae
SHA512 fa6caae0cb079e173ed90cd884dae4b7773746896ca1d7d5759c914a735fbaab56f60d44d203be18194d26500388eb7476b672c0fc7fdfd62d9db3630d6cd425

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 c12e5a58911018e4d161ebb85cd9bb27
SHA1 4eb9be72ea6dfed623ba85ebf890b23156c57c1a
SHA256 94809bd2a3191c68ef29d1b0d662a9b093ac07d8742e4f06e732e2ed5b8beefd
SHA512 027dcfb917095377d883b3fcab252bc38206d5b64c94cfd3eb47c106f166e5ed0fd12ad2692388dcbc15c567c02b5beec8ac5f9eb01da8e9c06f4db1d34c84d0