Malware Analysis Report

2025-06-16 01:50

Sample ID 220909-atv14adcar
Target 9c3f73781b9bcbe3c74c2d6350bd68cc7a08b9cf0c48d1745f5bab745c08ad9c
SHA256 9c3f73781b9bcbe3c74c2d6350bd68cc7a08b9cf0c48d1745f5bab745c08ad9c
Tags
djvu redline socelars bits mario_new discovery infostealer persistence ransomware spyware stealer upx vmprotect
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9c3f73781b9bcbe3c74c2d6350bd68cc7a08b9cf0c48d1745f5bab745c08ad9c

Threat Level: Known bad

The file 9c3f73781b9bcbe3c74c2d6350bd68cc7a08b9cf0c48d1745f5bab745c08ad9c was found to be: Known bad.

Malicious Activity Summary

djvu redline socelars bits mario_new discovery infostealer persistence ransomware spyware stealer upx vmprotect

Socelars

Detected Djvu ransomware

RedLine

Djvu Ransomware

Process spawned unexpected child process

Socelars payload

RedLine payload

VMProtect packed file

Executes dropped EXE

Downloads MZ/PE file

UPX packed file

Reads user/profile data of web browsers

Unexpected DNS network traffic destination

Modifies file permissions

Deletes itself

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Legitimate hosting services abused for malware hosting/C2

Checks installed software on the system

Looks up external IP address via web service

Suspicious use of SetThreadContext

Drops file in Program Files directory

Program crash

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Suspicious use of SendNotifyMessage

Enumerates system info in registry

Checks SCSI registry key(s)

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious behavior: MapViewOfSection

Suspicious behavior: EnumeratesProcesses

Script User-Agent

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Kills process with taskkill

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-09-09 00:30

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-09-09 00:30

Reported

2022-09-09 00:33

Platform

win10-20220812-en

Max time kernel

113s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9c3f73781b9bcbe3c74c2d6350bd68cc7a08b9cf0c48d1745f5bab745c08ad9c.exe"

Signatures

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\rundll32.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\rundll32.exe

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Socelars

stealer socelars

Socelars payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Downloads MZ/PE file

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Reads user/profile data of web browsers

spyware stealer

Unexpected DNS network traffic destination

Description Indicator Process Target
Destination IP 34.142.181.181 N/A N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\95681693-2fa1-4ab2-b0a5-826db8383f65\\5296.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\5296.exe N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A ip-api.com N/A N/A
N/A api.2ip.ua N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4092 set thread context of 100824 N/A C:\Users\Admin\AppData\Local\Temp\2163.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 101136 set thread context of 100996 N/A C:\Users\Admin\AppData\Local\Temp\5296.exe C:\Users\Admin\AppData\Local\Temp\5296.exe
PID 101272 set thread context of 100852 N/A C:\Users\Admin\AppData\Local\Temp\5296.exe C:\Users\Admin\AppData\Local\Temp\5296.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\aieoplapobidheellikiicjfpamacpfd\background.html C:\Users\Admin\AppData\Local\Temp\765D.exe N/A
File created C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\jquery-3.3.1.min.js C:\Users\Admin\AppData\Local\Temp\765D.exe N/A
File created C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\mode-ecb.js C:\Users\Admin\AppData\Local\Temp\765D.exe N/A
File created C:\Program Files\aieoplapobidheellikiicjfpamacpfd\manifest.json C:\Users\Admin\AppData\Local\Temp\765D.exe N/A
File opened for modification C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\background.js C:\Users\Admin\AppData\Local\Temp\765D.exe N/A
File created C:\Program Files\aieoplapobidheellikiicjfpamacpfd\icon.png C:\Users\Admin\AppData\Local\Temp\765D.exe N/A
File created C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\aes.js C:\Users\Admin\AppData\Local\Temp\765D.exe N/A
File created C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\background.js C:\Users\Admin\AppData\Local\Temp\765D.exe N/A
File created C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\content.js C:\Users\Admin\AppData\Local\Temp\765D.exe N/A
File created C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\pad-nopadding.js C:\Users\Admin\AppData\Local\Temp\765D.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\9c3f73781b9bcbe3c74c2d6350bd68cc7a08b9cf0c48d1745f5bab745c08ad9c.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\9c3f73781b9bcbe3c74c2d6350bd68cc7a08b9cf0c48d1745f5bab745c08ad9c.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\9c3f73781b9bcbe3c74c2d6350bd68cc7a08b9cf0c48d1745f5bab745c08ad9c.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c3f73781b9bcbe3c74c2d6350bd68cc7a08b9cf0c48d1745f5bab745c08ad9c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c3f73781b9bcbe3c74c2d6350bd68cc7a08b9cf0c48d1745f5bab745c08ad9c.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c3f73781b9bcbe3c74c2d6350bd68cc7a08b9cf0c48d1745f5bab745c08ad9c.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\32C9.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\765D.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\765D.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\765D.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\765D.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\765D.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\765D.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\765D.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\765D.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\765D.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\765D.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\765D.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\765D.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\765D.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\765D.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\765D.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\765D.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\765D.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\765D.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\765D.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\765D.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\765D.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\765D.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\765D.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\765D.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\765D.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\765D.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\765D.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\765D.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\765D.exe N/A
Token: 31 N/A C:\Users\Admin\AppData\Local\Temp\765D.exe N/A
Token: 32 N/A C:\Users\Admin\AppData\Local\Temp\765D.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\765D.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\765D.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\765D.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2172 wrote to memory of 4092 N/A N/A C:\Users\Admin\AppData\Local\Temp\2163.exe
PID 2172 wrote to memory of 4092 N/A N/A C:\Users\Admin\AppData\Local\Temp\2163.exe
PID 2172 wrote to memory of 4092 N/A N/A C:\Users\Admin\AppData\Local\Temp\2163.exe
PID 4092 wrote to memory of 100824 N/A C:\Users\Admin\AppData\Local\Temp\2163.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4092 wrote to memory of 100824 N/A C:\Users\Admin\AppData\Local\Temp\2163.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4092 wrote to memory of 100824 N/A C:\Users\Admin\AppData\Local\Temp\2163.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4092 wrote to memory of 100824 N/A C:\Users\Admin\AppData\Local\Temp\2163.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4092 wrote to memory of 100824 N/A C:\Users\Admin\AppData\Local\Temp\2163.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2172 wrote to memory of 101044 N/A N/A C:\Users\Admin\AppData\Local\Temp\32C9.exe
PID 2172 wrote to memory of 101044 N/A N/A C:\Users\Admin\AppData\Local\Temp\32C9.exe
PID 2172 wrote to memory of 101044 N/A N/A C:\Users\Admin\AppData\Local\Temp\32C9.exe
PID 2172 wrote to memory of 101136 N/A N/A C:\Users\Admin\AppData\Local\Temp\5296.exe
PID 2172 wrote to memory of 101136 N/A N/A C:\Users\Admin\AppData\Local\Temp\5296.exe
PID 2172 wrote to memory of 101136 N/A N/A C:\Users\Admin\AppData\Local\Temp\5296.exe
PID 101136 wrote to memory of 100996 N/A C:\Users\Admin\AppData\Local\Temp\5296.exe C:\Users\Admin\AppData\Local\Temp\5296.exe
PID 101136 wrote to memory of 100996 N/A C:\Users\Admin\AppData\Local\Temp\5296.exe C:\Users\Admin\AppData\Local\Temp\5296.exe
PID 101136 wrote to memory of 100996 N/A C:\Users\Admin\AppData\Local\Temp\5296.exe C:\Users\Admin\AppData\Local\Temp\5296.exe
PID 101136 wrote to memory of 100996 N/A C:\Users\Admin\AppData\Local\Temp\5296.exe C:\Users\Admin\AppData\Local\Temp\5296.exe
PID 101136 wrote to memory of 100996 N/A C:\Users\Admin\AppData\Local\Temp\5296.exe C:\Users\Admin\AppData\Local\Temp\5296.exe
PID 101136 wrote to memory of 100996 N/A C:\Users\Admin\AppData\Local\Temp\5296.exe C:\Users\Admin\AppData\Local\Temp\5296.exe
PID 101136 wrote to memory of 100996 N/A C:\Users\Admin\AppData\Local\Temp\5296.exe C:\Users\Admin\AppData\Local\Temp\5296.exe
PID 101136 wrote to memory of 100996 N/A C:\Users\Admin\AppData\Local\Temp\5296.exe C:\Users\Admin\AppData\Local\Temp\5296.exe
PID 101136 wrote to memory of 100996 N/A C:\Users\Admin\AppData\Local\Temp\5296.exe C:\Users\Admin\AppData\Local\Temp\5296.exe
PID 101136 wrote to memory of 100996 N/A C:\Users\Admin\AppData\Local\Temp\5296.exe C:\Users\Admin\AppData\Local\Temp\5296.exe
PID 2172 wrote to memory of 101156 N/A N/A C:\Users\Admin\AppData\Local\Temp\6748.exe
PID 2172 wrote to memory of 101156 N/A N/A C:\Users\Admin\AppData\Local\Temp\6748.exe
PID 2172 wrote to memory of 101144 N/A N/A C:\Users\Admin\AppData\Local\Temp\765D.exe
PID 2172 wrote to memory of 101144 N/A N/A C:\Users\Admin\AppData\Local\Temp\765D.exe
PID 2172 wrote to memory of 101144 N/A N/A C:\Users\Admin\AppData\Local\Temp\765D.exe
PID 100996 wrote to memory of 101060 N/A C:\Users\Admin\AppData\Local\Temp\5296.exe C:\Windows\SysWOW64\icacls.exe
PID 100996 wrote to memory of 101060 N/A C:\Users\Admin\AppData\Local\Temp\5296.exe C:\Windows\SysWOW64\icacls.exe
PID 100996 wrote to memory of 101060 N/A C:\Users\Admin\AppData\Local\Temp\5296.exe C:\Windows\SysWOW64\icacls.exe
PID 2172 wrote to memory of 101152 N/A N/A C:\Users\Admin\AppData\Local\Temp\AE65.exe
PID 2172 wrote to memory of 101152 N/A N/A C:\Users\Admin\AppData\Local\Temp\AE65.exe
PID 2172 wrote to memory of 101152 N/A N/A C:\Users\Admin\AppData\Local\Temp\AE65.exe
PID 100996 wrote to memory of 101272 N/A C:\Users\Admin\AppData\Local\Temp\5296.exe C:\Users\Admin\AppData\Local\Temp\5296.exe
PID 100996 wrote to memory of 101272 N/A C:\Users\Admin\AppData\Local\Temp\5296.exe C:\Users\Admin\AppData\Local\Temp\5296.exe
PID 100996 wrote to memory of 101272 N/A C:\Users\Admin\AppData\Local\Temp\5296.exe C:\Users\Admin\AppData\Local\Temp\5296.exe
PID 101144 wrote to memory of 101100 N/A C:\Users\Admin\AppData\Local\Temp\765D.exe C:\Windows\SysWOW64\cmd.exe
PID 101144 wrote to memory of 101100 N/A C:\Users\Admin\AppData\Local\Temp\765D.exe C:\Windows\SysWOW64\cmd.exe
PID 101144 wrote to memory of 101100 N/A C:\Users\Admin\AppData\Local\Temp\765D.exe C:\Windows\SysWOW64\cmd.exe
PID 101152 wrote to memory of 101128 N/A C:\Users\Admin\AppData\Local\Temp\AE65.exe C:\Users\Admin\AppData\Local\Temp\AE65.exe
PID 101152 wrote to memory of 101128 N/A C:\Users\Admin\AppData\Local\Temp\AE65.exe C:\Users\Admin\AppData\Local\Temp\AE65.exe
PID 101152 wrote to memory of 101128 N/A C:\Users\Admin\AppData\Local\Temp\AE65.exe C:\Users\Admin\AppData\Local\Temp\AE65.exe
PID 101100 wrote to memory of 101160 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 101100 wrote to memory of 101160 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 101100 wrote to memory of 101160 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2172 wrote to memory of 101324 N/A N/A C:\Users\Admin\AppData\Local\Temp\EDA2.exe
PID 2172 wrote to memory of 101324 N/A N/A C:\Users\Admin\AppData\Local\Temp\EDA2.exe
PID 2172 wrote to memory of 101324 N/A N/A C:\Users\Admin\AppData\Local\Temp\EDA2.exe
PID 101272 wrote to memory of 100852 N/A C:\Users\Admin\AppData\Local\Temp\5296.exe C:\Users\Admin\AppData\Local\Temp\5296.exe
PID 101272 wrote to memory of 100852 N/A C:\Users\Admin\AppData\Local\Temp\5296.exe C:\Users\Admin\AppData\Local\Temp\5296.exe
PID 101272 wrote to memory of 100852 N/A C:\Users\Admin\AppData\Local\Temp\5296.exe C:\Users\Admin\AppData\Local\Temp\5296.exe
PID 101272 wrote to memory of 100852 N/A C:\Users\Admin\AppData\Local\Temp\5296.exe C:\Users\Admin\AppData\Local\Temp\5296.exe
PID 101272 wrote to memory of 100852 N/A C:\Users\Admin\AppData\Local\Temp\5296.exe C:\Users\Admin\AppData\Local\Temp\5296.exe
PID 101272 wrote to memory of 100852 N/A C:\Users\Admin\AppData\Local\Temp\5296.exe C:\Users\Admin\AppData\Local\Temp\5296.exe
PID 101272 wrote to memory of 100852 N/A C:\Users\Admin\AppData\Local\Temp\5296.exe C:\Users\Admin\AppData\Local\Temp\5296.exe
PID 101272 wrote to memory of 100852 N/A C:\Users\Admin\AppData\Local\Temp\5296.exe C:\Users\Admin\AppData\Local\Temp\5296.exe
PID 101272 wrote to memory of 100852 N/A C:\Users\Admin\AppData\Local\Temp\5296.exe C:\Users\Admin\AppData\Local\Temp\5296.exe
PID 101272 wrote to memory of 100852 N/A C:\Users\Admin\AppData\Local\Temp\5296.exe C:\Users\Admin\AppData\Local\Temp\5296.exe
PID 101144 wrote to memory of 101172 N/A C:\Users\Admin\AppData\Local\Temp\765D.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 101144 wrote to memory of 101172 N/A C:\Users\Admin\AppData\Local\Temp\765D.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 101172 wrote to memory of 101304 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 101172 wrote to memory of 101304 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9c3f73781b9bcbe3c74c2d6350bd68cc7a08b9cf0c48d1745f5bab745c08ad9c.exe

"C:\Users\Admin\AppData\Local\Temp\9c3f73781b9bcbe3c74c2d6350bd68cc7a08b9cf0c48d1745f5bab745c08ad9c.exe"

C:\Users\Admin\AppData\Local\Temp\2163.exe

C:\Users\Admin\AppData\Local\Temp\2163.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4092 -s 195428

C:\Users\Admin\AppData\Local\Temp\32C9.exe

C:\Users\Admin\AppData\Local\Temp\32C9.exe

C:\Users\Admin\AppData\Local\Temp\5296.exe

C:\Users\Admin\AppData\Local\Temp\5296.exe

C:\Users\Admin\AppData\Local\Temp\5296.exe

C:\Users\Admin\AppData\Local\Temp\5296.exe

C:\Users\Admin\AppData\Local\Temp\6748.exe

C:\Users\Admin\AppData\Local\Temp\6748.exe

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 101156 -s 396

C:\Users\Admin\AppData\Local\Temp\765D.exe

C:\Users\Admin\AppData\Local\Temp\765D.exe

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\95681693-2fa1-4ab2-b0a5-826db8383f65" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\AE65.exe

C:\Users\Admin\AppData\Local\Temp\AE65.exe

C:\Users\Admin\AppData\Local\Temp\5296.exe

"C:\Users\Admin\AppData\Local\Temp\5296.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im chrome.exe

C:\Users\Admin\AppData\Local\Temp\AE65.exe

"C:\Users\Admin\AppData\Local\Temp\AE65.exe" -h

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im chrome.exe

C:\Users\Admin\AppData\Local\Temp\EDA2.exe

C:\Users\Admin\AppData\Local\Temp\EDA2.exe

C:\Users\Admin\AppData\Local\Temp\5296.exe

"C:\Users\Admin\AppData\Local\Temp\5296.exe" --Admin IsNotAutoStart IsNotTask

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xd0,0xd4,0xd8,0xac,0xdc,0x7fff6b0a4f50,0x7fff6b0a4f60,0x7fff6b0a4f70

C:\Users\Admin\AppData\Local\Temp\F842.exe

C:\Users\Admin\AppData\Local\Temp\F842.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1524,10672981591692412388,13494949337455844637,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2668 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1524,10672981591692412388,13494949337455844637,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2652 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1524,10672981591692412388,13494949337455844637,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2172 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1524,10672981591692412388,13494949337455844637,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2156 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1524,10672981591692412388,13494949337455844637,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1536 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1524,10672981591692412388,13494949337455844637,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=3 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3528 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1524,10672981591692412388,13494949337455844637,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3764 /prefetch:1

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open

C:\Users\Admin\AppData\Local\Temp\B9C.exe

C:\Users\Admin\AppData\Local\Temp\B9C.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1524,10672981591692412388,13494949337455844637,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4512 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1524,10672981591692412388,13494949337455844637,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4784 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1524,10672981591692412388,13494949337455844637,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4928 /prefetch:8

C:\Users\Admin\AppData\Local\26e15fcd-0646-4888-b7ff-859165e02f8f\build2.exe

"C:\Users\Admin\AppData\Local\26e15fcd-0646-4888-b7ff-859165e02f8f\build2.exe"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k WspService

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1524,10672981591692412388,13494949337455844637,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5436 /prefetch:8

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\31E2.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\31E2.dll

C:\Users\Admin\AppData\Local\Temp\3D0E.exe

C:\Users\Admin\AppData\Local\Temp\3D0E.exe

C:\Users\Admin\AppData\Local\Temp\5068.exe

C:\Users\Admin\AppData\Local\Temp\5068.exe

C:\Users\Admin\AppData\Local\Temp\3D0E.exe

"C:\Users\Admin\AppData\Local\Temp\3D0E.exe" -h

C:\Users\Admin\AppData\Local\26e15fcd-0646-4888-b7ff-859165e02f8f\build2.exe

"C:\Users\Admin\AppData\Local\26e15fcd-0646-4888-b7ff-859165e02f8f\build2.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1524,10672981591692412388,13494949337455844637,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4776 /prefetch:8

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im chrome.exe

C:\Users\Admin\AppData\Local\Temp\7B61.exe

C:\Users\Admin\AppData\Local\Temp\7B61.exe

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 102536 -s 396

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1524,10672981591692412388,13494949337455844637,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4428 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1524,10672981591692412388,13494949337455844637,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2368 /prefetch:8

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1524,10672981591692412388,13494949337455844637,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5916 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1524,10672981591692412388,13494949337455844637,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1452 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=proxy_resolver.mojom.ProxyResolverFactory --field-trial-handle=1524,10672981591692412388,13494949337455844637,131072 --lang=en-US --service-sandbox-type=proxy_resolver --mojo-platform-channel-handle=4848 /prefetch:8

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7fff6b0a4f50,0x7fff6b0a4f60,0x7fff6b0a4f70

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1524,10672981591692412388,13494949337455844637,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4612 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1524,10672981591692412388,13494949337455844637,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4944 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 monsutiur4.com udp
NL 185.237.206.60:80 monsutiur4.com tcp
US 20.42.73.24:443 tcp
US 8.8.8.8:53 nusurionuy5ff.at udp
US 8.8.8.8:53 moroitomo4.net udp
US 8.8.8.8:53 susuerulianita1.net udp
US 8.8.8.8:53 cucumbetuturel4.com udp
US 8.8.8.8:53 nunuslushau.com udp
US 8.8.8.8:53 linislominyt11.at udp
MX 187.190.48.135:80 linislominyt11.at tcp
MX 187.190.48.135:80 linislominyt11.at tcp
MX 187.190.48.135:80 linislominyt11.at tcp
MX 187.190.48.135:80 linislominyt11.at tcp
MX 187.190.48.135:80 linislominyt11.at tcp
MX 187.190.48.135:80 linislominyt11.at tcp
RU 176.122.23.55:11768 tcp
RU 78.153.144.84:27027 tcp
MX 187.190.48.135:80 linislominyt11.at tcp
MX 187.190.48.135:80 linislominyt11.at tcp
US 8.8.8.8:53 edx.ajn322aa.com udp
US 104.21.90.234:443 edx.ajn322aa.com tcp
MX 187.190.48.135:80 linislominyt11.at tcp
MX 187.190.48.135:80 linislominyt11.at tcp
US 8.8.8.8:53 www.mp3infonice.top udp
US 8.8.8.8:53 api.2ip.ua udp
NL 162.0.217.254:443 api.2ip.ua tcp
DE 161.97.101.255:80 www.mp3infonice.top tcp
MX 187.190.48.135:80 linislominyt11.at tcp
MX 187.190.48.135:80 linislominyt11.at tcp
US 8.8.8.8:53 www.icodeps.com udp
US 149.28.253.196:443 www.icodeps.com tcp
US 8.8.8.8:53 i.xyzgamei.com udp
US 172.67.137.109:443 i.xyzgamei.com tcp
US 8.8.8.8:53 b.game2723.com udp
US 8.8.8.8:53 ocsp.trust-provider.cn udp
US 188.114.96.0:443 b.game2723.com tcp
NL 47.246.48.208:80 ocsp.trust-provider.cn tcp
MX 187.190.48.135:80 linislominyt11.at tcp
US 8.8.8.8:53 iplogger.org udp
DE 148.251.234.83:443 iplogger.org tcp
MX 187.190.48.135:80 linislominyt11.at tcp
US 8.8.8.8:53 trustnero.com udp
US 172.67.128.245:443 trustnero.com tcp
US 8.8.8.8:53 fakermet.com udp
US 104.21.14.22:443 fakermet.com tcp
US 8.8.8.8:53 v.xyzgamev.com udp
US 104.21.40.196:443 v.xyzgamev.com tcp
MX 187.190.48.135:80 linislominyt11.at tcp
MX 187.190.48.135:80 linislominyt11.at tcp
RU 85.192.63.184:80 85.192.63.184 tcp
MX 187.190.48.135:80 linislominyt11.at tcp
MX 187.190.48.135:80 linislominyt11.at tcp
NL 162.0.217.254:443 api.2ip.ua tcp
US 8.8.8.8:53 efijkyt.s3.ap-northeast-2.amazonaws.com udp
US 8.8.8.8:53 clients2.google.com udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 m.facebook.com udp
NL 172.217.168.238:443 clients2.google.com tcp
NL 142.251.36.45:443 accounts.google.com tcp
KR 3.5.140.106:443 efijkyt.s3.ap-northeast-2.amazonaws.com tcp
ES 31.13.83.36:443 m.facebook.com tcp
ES 31.13.83.36:443 m.facebook.com tcp
KR 3.5.140.106:443 efijkyt.s3.ap-northeast-2.amazonaws.com tcp
US 8.8.8.8:53 edgedl.me.gvt1.com udp
US 8.8.8.8:53 rgyui.top udp
US 34.104.35.123:80 edgedl.me.gvt1.com tcp
US 8.8.8.8:53 acacaca.org udp
MX 187.190.48.135:80 rgyui.top tcp
MX 187.190.48.135:80 rgyui.top tcp
KR 222.236.49.124:80 acacaca.org tcp
US 8.8.8.8:53 secure.facebook.com udp
ES 31.13.83.17:443 secure.facebook.com tcp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:443 dns.google tcp
US 8.8.8.8:53 www.facebook.com udp
US 8.8.8.8:443 dns.google tcp
NL 157.240.247.35:443 www.facebook.com tcp
MX 187.190.48.135:80 rgyui.top tcp
KR 222.236.49.124:80 acacaca.org tcp
US 8.8.8.8:53 g.agametog.com udp
US 8.8.8.8:53 g.agametog.com udp
US 8.8.8.8:443 dns.google udp
SG 34.142.181.181:53 g.agametog.com udp
NL 216.58.214.3:443 tcp
US 188.114.97.0:80 b.game2723.com tcp
MX 187.190.48.135:80 rgyui.top tcp
NL 216.58.214.14:443 tcp
MX 187.190.48.135:80 rgyui.top tcp
MX 187.190.48.135:80 rgyui.top tcp
MX 187.190.48.135:80 rgyui.top tcp
MX 187.190.48.135:80 rgyui.top tcp
MX 187.190.48.135:80 rgyui.top tcp
N/A 224.0.0.251:5353 udp
US 149.28.253.196:443 www.icodeps.com tcp
DE 148.251.234.83:443 iplogger.org tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
MX 187.190.48.135:80 rgyui.top tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
TW 35.236.159.79:80 35.236.159.79 tcp
US 8.8.8.8:53 pp.abcgameabc.com udp
US 104.21.34.132:443 pp.abcgameabc.com tcp
MX 187.190.48.135:80 rgyui.top tcp
TW 35.236.159.79:80 35.236.159.79 tcp
TW 35.236.159.79:80 35.236.159.79 tcp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 x2.c.lencr.org udp
NL 23.2.164.159:80 x2.c.lencr.org tcp
US 8.8.8.8:53 e1.o.lencr.org udp
NL 96.16.53.165:80 e1.o.lencr.org tcp
US 104.21.34.132:443 pp.abcgameabc.com tcp
US 104.21.34.132:443 pp.abcgameabc.com tcp
DE 116.202.179.139:80 tcp

Files

memory/2656-119-0x0000000077770000-0x00000000778FE000-memory.dmp

memory/2656-120-0x0000000077770000-0x00000000778FE000-memory.dmp

memory/2656-121-0x0000000077770000-0x00000000778FE000-memory.dmp

memory/2656-122-0x0000000077770000-0x00000000778FE000-memory.dmp

memory/2656-123-0x0000000077770000-0x00000000778FE000-memory.dmp

memory/2656-124-0x0000000077770000-0x00000000778FE000-memory.dmp

memory/2656-125-0x0000000077770000-0x00000000778FE000-memory.dmp

memory/2656-126-0x0000000077770000-0x00000000778FE000-memory.dmp

memory/2656-127-0x0000000077770000-0x00000000778FE000-memory.dmp

memory/2656-128-0x0000000077770000-0x00000000778FE000-memory.dmp

memory/2656-129-0x0000000077770000-0x00000000778FE000-memory.dmp

memory/2656-130-0x0000000077770000-0x00000000778FE000-memory.dmp

memory/2656-131-0x0000000077770000-0x00000000778FE000-memory.dmp

memory/2656-132-0x0000000077770000-0x00000000778FE000-memory.dmp

memory/2656-133-0x0000000077770000-0x00000000778FE000-memory.dmp

memory/2656-134-0x0000000077770000-0x00000000778FE000-memory.dmp

memory/2656-135-0x0000000077770000-0x00000000778FE000-memory.dmp

memory/2656-136-0x0000000077770000-0x00000000778FE000-memory.dmp

memory/2656-137-0x0000000077770000-0x00000000778FE000-memory.dmp

memory/2656-138-0x0000000077770000-0x00000000778FE000-memory.dmp

memory/2656-139-0x0000000077770000-0x00000000778FE000-memory.dmp

memory/2656-140-0x0000000077770000-0x00000000778FE000-memory.dmp

memory/2656-141-0x0000000077770000-0x00000000778FE000-memory.dmp

memory/2656-142-0x0000000077770000-0x00000000778FE000-memory.dmp

memory/2656-143-0x0000000002DE8000-0x0000000002DF9000-memory.dmp

memory/2656-144-0x0000000002B80000-0x0000000002C2E000-memory.dmp

memory/2656-145-0x0000000077770000-0x00000000778FE000-memory.dmp

memory/2656-146-0x0000000077770000-0x00000000778FE000-memory.dmp

memory/2656-147-0x0000000077770000-0x00000000778FE000-memory.dmp

memory/2656-148-0x0000000077770000-0x00000000778FE000-memory.dmp

memory/2656-149-0x0000000077770000-0x00000000778FE000-memory.dmp

memory/2656-150-0x0000000077770000-0x00000000778FE000-memory.dmp

memory/2656-151-0x0000000077770000-0x00000000778FE000-memory.dmp

memory/2656-153-0x0000000000400000-0x0000000002B7F000-memory.dmp

memory/2656-152-0x0000000077770000-0x00000000778FE000-memory.dmp

memory/2656-154-0x0000000077770000-0x00000000778FE000-memory.dmp

memory/2656-155-0x0000000002DE8000-0x0000000002DF9000-memory.dmp

memory/2656-156-0x0000000000400000-0x0000000002B7F000-memory.dmp

memory/4092-157-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\2163.exe

MD5 b5217bb7be0e5f48d7a63d86ed10d79e
SHA1 8eda656c588396f74c1abeb019992015ec134a0c
SHA256 f1127c9264936045acc1c0f3d10d8683d78c865171a7ef485ecdf5d8aa2704f5
SHA512 1b2ad5d7af43702d065493accd7416df2c258996642d8b472ac54af96a8282c87baf22ae4155a0a490f4ec70498bf6846b364ef6a00cd99a6de2c4e45b7c6144

memory/4092-159-0x0000000077770000-0x00000000778FE000-memory.dmp

memory/4092-160-0x0000000077770000-0x00000000778FE000-memory.dmp

memory/4092-161-0x0000000077770000-0x00000000778FE000-memory.dmp

memory/4092-162-0x0000000077770000-0x00000000778FE000-memory.dmp

memory/4092-163-0x0000000077770000-0x00000000778FE000-memory.dmp

memory/4092-164-0x0000000077770000-0x00000000778FE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2163.exe

MD5 b5217bb7be0e5f48d7a63d86ed10d79e
SHA1 8eda656c588396f74c1abeb019992015ec134a0c
SHA256 f1127c9264936045acc1c0f3d10d8683d78c865171a7ef485ecdf5d8aa2704f5
SHA512 1b2ad5d7af43702d065493accd7416df2c258996642d8b472ac54af96a8282c87baf22ae4155a0a490f4ec70498bf6846b364ef6a00cd99a6de2c4e45b7c6144

memory/100824-166-0x0000000004780000-0x00000000047E0000-memory.dmp

memory/100824-171-0x00000000047DB03E-mapping.dmp

memory/100824-172-0x0000000077770000-0x00000000778FE000-memory.dmp

memory/100824-173-0x0000000077770000-0x00000000778FE000-memory.dmp

memory/100824-174-0x0000000077770000-0x00000000778FE000-memory.dmp

memory/100824-175-0x0000000077770000-0x00000000778FE000-memory.dmp

memory/100824-176-0x0000000077770000-0x00000000778FE000-memory.dmp

memory/100824-178-0x0000000077770000-0x00000000778FE000-memory.dmp

memory/100824-179-0x0000000077770000-0x00000000778FE000-memory.dmp

memory/100824-181-0x0000000077770000-0x00000000778FE000-memory.dmp

memory/100824-182-0x0000000077770000-0x00000000778FE000-memory.dmp

memory/100824-183-0x0000000077770000-0x00000000778FE000-memory.dmp

memory/100824-184-0x0000000077770000-0x00000000778FE000-memory.dmp

memory/100824-185-0x0000000077770000-0x00000000778FE000-memory.dmp

memory/100824-186-0x0000000077770000-0x00000000778FE000-memory.dmp

memory/100824-187-0x0000000077770000-0x00000000778FE000-memory.dmp

memory/100824-188-0x0000000077770000-0x00000000778FE000-memory.dmp

memory/100824-189-0x0000000077770000-0x00000000778FE000-memory.dmp

memory/100824-190-0x0000000077770000-0x00000000778FE000-memory.dmp

memory/100824-191-0x0000000077770000-0x00000000778FE000-memory.dmp

memory/100824-192-0x0000000077770000-0x00000000778FE000-memory.dmp

memory/100824-193-0x0000000077770000-0x00000000778FE000-memory.dmp

memory/101044-202-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\32C9.exe

MD5 7ee26071eccd624c58596bb7e356c8c3
SHA1 2c61201ce36e236c30c350bfae82fa74d21c89cb
SHA256 69fde9e6449ac4f800f47188a10e04db056c0b570876b254c93d3a8d94d2016b
SHA512 7cd53f55077e02d2982c15963da8ad0ccb254063196c21a8cc0803f474a86ddf5e8ba48c4d6b8f74020074b76319fde082fcc12bedd7c69e75e3597f2ec5f562

C:\Users\Admin\AppData\Local\Temp\32C9.exe

MD5 7ee26071eccd624c58596bb7e356c8c3
SHA1 2c61201ce36e236c30c350bfae82fa74d21c89cb
SHA256 69fde9e6449ac4f800f47188a10e04db056c0b570876b254c93d3a8d94d2016b
SHA512 7cd53f55077e02d2982c15963da8ad0ccb254063196c21a8cc0803f474a86ddf5e8ba48c4d6b8f74020074b76319fde082fcc12bedd7c69e75e3597f2ec5f562

memory/100824-231-0x0000000004CC0000-0x0000000004CC6000-memory.dmp

memory/100824-250-0x000000000E8F0000-0x000000000EEF6000-memory.dmp

memory/100824-251-0x000000000E470000-0x000000000E57A000-memory.dmp

memory/100824-253-0x000000000E3A0000-0x000000000E3B2000-memory.dmp

memory/100824-255-0x000000000E400000-0x000000000E43E000-memory.dmp

memory/100824-257-0x000000000E580000-0x000000000E5CB000-memory.dmp

memory/101044-269-0x0000000000870000-0x000000000091E000-memory.dmp

memory/101044-271-0x0000000002440000-0x000000000247E000-memory.dmp

memory/101044-293-0x00000000026F0000-0x000000000272E000-memory.dmp

memory/101044-298-0x0000000004F70000-0x000000000546E000-memory.dmp

memory/101044-300-0x0000000004E40000-0x0000000004E7C000-memory.dmp

memory/101044-302-0x0000000004E80000-0x0000000004F12000-memory.dmp

memory/101044-321-0x0000000000400000-0x000000000086C000-memory.dmp

memory/101136-325-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\5296.exe

MD5 e6bd24d15533146f6a4acce8ae7b87d4
SHA1 3e3b43c700f553551c736de79dbb0fa58c8d67cc
SHA256 0b4b89442846ef32de3a23eed2f2fc236786f34a3af8dc6bc3674d9a738626fc
SHA512 4f659f38342925827ea6859c9a8b68d6d36f1245ed171d46bf45ce3d87e3723e8c320aadbbce7a06d43773b31431a7aea35c32457b78e1fad9687a33999d3e03

C:\Users\Admin\AppData\Local\Temp\5296.exe

MD5 e6bd24d15533146f6a4acce8ae7b87d4
SHA1 3e3b43c700f553551c736de79dbb0fa58c8d67cc
SHA256 0b4b89442846ef32de3a23eed2f2fc236786f34a3af8dc6bc3674d9a738626fc
SHA512 4f659f38342925827ea6859c9a8b68d6d36f1245ed171d46bf45ce3d87e3723e8c320aadbbce7a06d43773b31431a7aea35c32457b78e1fad9687a33999d3e03

memory/100824-346-0x000000000E730000-0x000000000E796000-memory.dmp

memory/101136-463-0x0000000002530000-0x00000000025C2000-memory.dmp

memory/101136-466-0x0000000002630000-0x000000000274B000-memory.dmp

memory/100996-474-0x0000000000424141-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\5296.exe

MD5 e6bd24d15533146f6a4acce8ae7b87d4
SHA1 3e3b43c700f553551c736de79dbb0fa58c8d67cc
SHA256 0b4b89442846ef32de3a23eed2f2fc236786f34a3af8dc6bc3674d9a738626fc
SHA512 4f659f38342925827ea6859c9a8b68d6d36f1245ed171d46bf45ce3d87e3723e8c320aadbbce7a06d43773b31431a7aea35c32457b78e1fad9687a33999d3e03

memory/101156-492-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\6748.exe

MD5 5a5818de3886c0ffaa7071e70d003eb6
SHA1 c4e62f5c1b674a80fdd48b6fe37e3e59607a7f2e
SHA256 4fac63cb799cc9da04b4332602ad9b4538dd2429ffcf2f8065ec598b2c6aa6a2
SHA512 07ba01218477f3cacd9846b16d9dc742b0e8b4afdca43aba3696b742063316d7fe0c15504c8ebbee20f3f4b42532960698308b45e5d2b55fcc536af28522b8ca

C:\Users\Admin\AppData\Local\Temp\6748.exe

MD5 5a5818de3886c0ffaa7071e70d003eb6
SHA1 c4e62f5c1b674a80fdd48b6fe37e3e59607a7f2e
SHA256 4fac63cb799cc9da04b4332602ad9b4538dd2429ffcf2f8065ec598b2c6aa6a2
SHA512 07ba01218477f3cacd9846b16d9dc742b0e8b4afdca43aba3696b742063316d7fe0c15504c8ebbee20f3f4b42532960698308b45e5d2b55fcc536af28522b8ca

memory/101044-540-0x0000000002440000-0x000000000247E000-memory.dmp

memory/101044-537-0x0000000000870000-0x000000000091E000-memory.dmp

memory/100996-663-0x0000000000400000-0x0000000000537000-memory.dmp

memory/100824-688-0x000000000FBD0000-0x000000000FD92000-memory.dmp

memory/100824-691-0x00000000102D0000-0x00000000107FC000-memory.dmp

memory/101144-714-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\765D.exe

MD5 1209eb5280434f121fa888e5d9665bef
SHA1 d85f7e6ab0486f32bc51c772215488dcfb299941
SHA256 30a2d83678b8e9a39debd957bf3e4dea8d97423fe19ca7b21a87ff1434f9b3d3
SHA512 79cdf89289871b1a89b65bb36353437d4c2fa11fb0bc6a4c60affc43ad1eab6d836c17a9a0bccdbaff365713b508b130af9eda338acb08d03af8fad0a1fa5c9b

C:\Users\Admin\AppData\Local\Temp\765D.exe

MD5 1209eb5280434f121fa888e5d9665bef
SHA1 d85f7e6ab0486f32bc51c772215488dcfb299941
SHA256 30a2d83678b8e9a39debd957bf3e4dea8d97423fe19ca7b21a87ff1434f9b3d3
SHA512 79cdf89289871b1a89b65bb36353437d4c2fa11fb0bc6a4c60affc43ad1eab6d836c17a9a0bccdbaff365713b508b130af9eda338acb08d03af8fad0a1fa5c9b

memory/101144-749-0x0000000000400000-0x000000000058E000-memory.dmp

memory/101060-801-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\95681693-2fa1-4ab2-b0a5-826db8383f65\5296.exe

MD5 e6bd24d15533146f6a4acce8ae7b87d4
SHA1 3e3b43c700f553551c736de79dbb0fa58c8d67cc
SHA256 0b4b89442846ef32de3a23eed2f2fc236786f34a3af8dc6bc3674d9a738626fc
SHA512 4f659f38342925827ea6859c9a8b68d6d36f1245ed171d46bf45ce3d87e3723e8c320aadbbce7a06d43773b31431a7aea35c32457b78e1fad9687a33999d3e03

memory/101044-884-0x0000000000870000-0x000000000091E000-memory.dmp

memory/101044-886-0x0000000000400000-0x000000000086C000-memory.dmp

memory/101152-890-0x0000000000000000-mapping.dmp

memory/100996-893-0x0000000000400000-0x0000000000537000-memory.dmp

memory/101144-896-0x0000000000400000-0x000000000058E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AE65.exe

MD5 2f60ef19334491b0800f818fe87c42f9
SHA1 a54541d84ffdd10c71053a4da5d2635129c1a5fa
SHA256 2b29136f3622d331c86855ab5298b22a996d7f894bd45c4d4a61a9460dfe2095
SHA512 97459e126e789b9425e8c6ea4afbc1f61732f98bad1539af6455e7154c72affd2b5ee2a6ad258a0da0fd19fd6b332c797be06aa2a757c0df90eed4f4426d5fe4

memory/101272-905-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\5296.exe

MD5 e6bd24d15533146f6a4acce8ae7b87d4
SHA1 3e3b43c700f553551c736de79dbb0fa58c8d67cc
SHA256 0b4b89442846ef32de3a23eed2f2fc236786f34a3af8dc6bc3674d9a738626fc
SHA512 4f659f38342925827ea6859c9a8b68d6d36f1245ed171d46bf45ce3d87e3723e8c320aadbbce7a06d43773b31431a7aea35c32457b78e1fad9687a33999d3e03

memory/100996-908-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AE65.exe

MD5 2f60ef19334491b0800f818fe87c42f9
SHA1 a54541d84ffdd10c71053a4da5d2635129c1a5fa
SHA256 2b29136f3622d331c86855ab5298b22a996d7f894bd45c4d4a61a9460dfe2095
SHA512 97459e126e789b9425e8c6ea4afbc1f61732f98bad1539af6455e7154c72affd2b5ee2a6ad258a0da0fd19fd6b332c797be06aa2a757c0df90eed4f4426d5fe4

memory/101100-956-0x0000000000000000-mapping.dmp

memory/101128-966-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\AE65.exe

MD5 2f60ef19334491b0800f818fe87c42f9
SHA1 a54541d84ffdd10c71053a4da5d2635129c1a5fa
SHA256 2b29136f3622d331c86855ab5298b22a996d7f894bd45c4d4a61a9460dfe2095
SHA512 97459e126e789b9425e8c6ea4afbc1f61732f98bad1539af6455e7154c72affd2b5ee2a6ad258a0da0fd19fd6b332c797be06aa2a757c0df90eed4f4426d5fe4

memory/101160-973-0x0000000000000000-mapping.dmp

memory/101324-1058-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\EDA2.exe

MD5 f99d573625e45fc9d02bd27d30aa5839
SHA1 e12a9683a34b4e3d06d4f6d07851fa606a2a4556
SHA256 14d138ed08a4f1c0850a93312cec9258bc5a0e8942b57a582e47c258b91cfac6
SHA512 84b39b79549cf9d8b9e23c6c68f39f4a2453cd9322edf29c07534e3ae30a4524df937564a9c51c08f249be691aa97dca3a03e6f3677d6a3256d5e89b9293924d

memory/101272-1073-0x00000000024F0000-0x000000000258F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5296.exe

MD5 e6bd24d15533146f6a4acce8ae7b87d4
SHA1 3e3b43c700f553551c736de79dbb0fa58c8d67cc
SHA256 0b4b89442846ef32de3a23eed2f2fc236786f34a3af8dc6bc3674d9a738626fc
SHA512 4f659f38342925827ea6859c9a8b68d6d36f1245ed171d46bf45ce3d87e3723e8c320aadbbce7a06d43773b31431a7aea35c32457b78e1fad9687a33999d3e03

memory/100852-1082-0x0000000000424141-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\EDA2.exe

MD5 f99d573625e45fc9d02bd27d30aa5839
SHA1 e12a9683a34b4e3d06d4f6d07851fa606a2a4556
SHA256 14d138ed08a4f1c0850a93312cec9258bc5a0e8942b57a582e47c258b91cfac6
SHA512 84b39b79549cf9d8b9e23c6c68f39f4a2453cd9322edf29c07534e3ae30a4524df937564a9c51c08f249be691aa97dca3a03e6f3677d6a3256d5e89b9293924d

C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\content.js

MD5 f79618c53614380c5fdc545699afe890
SHA1 7804a4621cd9405b6def471f3ebedb07fb17e90a
SHA256 f3f30c5c271f80b0a3a329b11d8e72eb404d0c0dc9c66fa162ca97ccaa1e963c
SHA512 c4e0c4df6ac92351591859a7c4358b3dcd342e00051bf561e68e3fcc2c94fdd8d14bd0a042d88dca33f6c7e952938786378d804f56e84b4eab99e2a5fee96a4c

C:\Users\Admin\AppData\Local\Temp\F842.exe

MD5 07bbc58f5aa8556ec94378dc10c8ade3
SHA1 371085db5bb1a5f5201a74a28a49e246e0fde9f2
SHA256 dae53a09a616e2f9cdc05d363b667d91601f3c47800b9faddee8224df2fb83c1
SHA512 4b4478962738507420c21c01a4d9d904b17202bd2c3103ad1d504bdee363dfb68070666c735bb4506cb8a620689a2601455adefb2a9c65fcada27ae31ce408f1

\??\pipe\crashpad_101172_SGVVKDSUOQXNZQBG

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\jquery-3.3.1.min.js

MD5 a09e13ee94d51c524b7e2a728c7d4039
SHA1 0dc32db4aa9c5f03f3b38c47d883dbd4fed13aae
SHA256 160a426ff2894252cd7cebbdd6d6b7da8fcd319c65b70468f10b6690c45d02ef
SHA512 f8da8f95b6ed33542a88af19028e18ae3d9ce25350a06bfc3fbf433ed2b38fefa5e639cddfdac703fc6caa7f3313d974b92a3168276b3a016ceb28f27db0714a

C:\Program Files\aieoplapobidheellikiicjfpamacpfd\icon.png

MD5 c8d8c174df68910527edabe6b5278f06
SHA1 8ac53b3605fea693b59027b9b471202d150f266f
SHA256 9434dd7008059a60d6d5ced8c8a63ab5cae407e7152da98ca4dda408510f08f5
SHA512 d439e5124399d1901934319535b7156c0ca8d76b5aa4ddf1dd0b598d43582f6d23c16f96be74d3cd5fe764396da55ca51811d08695f356f12f7a8a71bcc7e45c

C:\Program Files\aieoplapobidheellikiicjfpamacpfd\manifest.json

MD5 6da6b303170ccfdca9d9e75abbfb59f3
SHA1 1a8070080f50a303f73eba253ba49c1e6d400df6
SHA256 66f5620e3bfe4692b14f62baad60e3269327327565ff8b2438e98ce8ed021333
SHA512 872957b63e8a0d10791877e5d204022c08c8e8101807d7ebe6fd537d812ad09e14d8555ccf53dc00525a22c02773aa45b8fa643c05247fb0ce6012382855a89a

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

MD5 7cc3619a1ed71246b7a427687ac13bba
SHA1 0e7b92c837339c2fbe904539dfd5da26ff009679
SHA256 923d585d1fec6ed7934fd1657d6aada948e60a1ef4aa4f85f56a8c949a7235f4
SHA512 535806bc541e4f63eb72daac751ee8d8922500215f3e730347f9dd105825cdb09f7da4c08608ff7bb14733bb4974ad1051a67d8ca0279f572f89dcb54fb15aee

memory/101388-1137-0x0000000000000000-mapping.dmp

memory/101144-1156-0x0000000000400000-0x000000000058E000-memory.dmp

C:\Program Files\aieoplapobidheellikiicjfpamacpfd\background.html

MD5 9ffe618d587a0685d80e9f8bb7d89d39
SHA1 8e9cae42c911027aafae56f9b1a16eb8dd7a739c
SHA256 a1064146f622fe68b94cd65a0e8f273b583449fbacfd6fd75fec1eaaf2ec8d6e
SHA512 a4e1f53d1e3bf0ff6893f188a510c6b3da37b99b52ddd560d4c90226cb14de6c9e311ee0a93192b1a26db2d76382eb2350dc30ab9db7cbd9ca0a80a507ea1a12

C:\Users\Admin\AppData\Local\Temp\F842.exe

MD5 07bbc58f5aa8556ec94378dc10c8ade3
SHA1 371085db5bb1a5f5201a74a28a49e246e0fde9f2
SHA256 dae53a09a616e2f9cdc05d363b667d91601f3c47800b9faddee8224df2fb83c1
SHA512 4b4478962738507420c21c01a4d9d904b17202bd2c3103ad1d504bdee363dfb68070666c735bb4506cb8a620689a2601455adefb2a9c65fcada27ae31ce408f1

C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\background.js

MD5 e3456536cbbe0d944ff8566cec065510
SHA1 558e504b9e1b5d3ba87c57de35896086b338af46
SHA256 d71953e9d882687de54a3fb68809f7fb2be0a7f4c09d5d6d06bac3e138bf6ae7
SHA512 5dfd5c46de998084c194f724ae5e2acc607fc5854a850670f4062f6c3610e86f006ba300ede2e2b5ba8d555ff89728518b4a56ff1286fadc266fa7ff8937d68c

C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\pad-nopadding.js

MD5 0f26002ee3b4b4440e5949a969ea7503
SHA1 31fc518828fe4894e8077ec5686dce7b1ed281d7
SHA256 282308ebc3702c44129438f8299839ca4d392a0a09fdf0737f08ef1e4aff937d
SHA512 4290a1aee5601fcbf1eb2beec9b4924c30cd218e94ae099b87ba72c9a4fa077e39d218fc723b8465d259028a6961cc07c0cd6896aa2f67e83f833ca023a80b11

C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\mode-ecb.js

MD5 23231681d1c6f85fa32e725d6d63b19b
SHA1 f69315530b49ac743b0e012652a3a5efaed94f17
SHA256 03164b1ac43853fecdbf988ce900016fb174cf65b03e41c0a9a7bf3a95e8c26a
SHA512 36860113871707a08401f29ab2828545932e57a4ae99e727d8ca2a9f85518d3db3a4e5e4d46ac2b6ba09494fa9727c033d77c36c4bdc376ae048541222724bc2

C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\aes.js

MD5 4ff108e4584780dce15d610c142c3e62
SHA1 77e4519962e2f6a9fc93342137dbb31c33b76b04
SHA256 fc7e184beeda61bf6427938a84560f52348976bb55e807b224eb53930e97ef6a
SHA512 d6eee0fc02205a3422c16ad120cad8d871563d8fcd4bde924654eac5a37026726328f9a47240cf89ed6c9e93ba5f89c833e84e65eee7db2b4d7d1b4240deaef2

memory/100852-1191-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\db.dll

MD5 4d11bd6f3172584b3fda0e9efcaf0ddb
SHA1 0581c7f087f6538a1b6d4f05d928c1df24236944
SHA256 73314490c80e5eb09f586e12c1f035c44f11aeaa41d2f4b08aca476132578930
SHA512 6a023496e7ee03c2ff8e3ba445c7d7d5bfe6a1e1e1bae5c17dcf41e78ede84a166966579bf8cc7be7450d2516f869713907775e863670b10eb60c092492d2d04

memory/102152-1194-0x0000000000000000-mapping.dmp

memory/101324-1220-0x0000000004CB0000-0x00000000050A4000-memory.dmp

memory/101324-1226-0x00000000050B0000-0x0000000005926000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5 215064dd8b4566627489319b46e9ca43
SHA1 7fa698eef5f02a961b5862df135d7ebfd8a12292
SHA256 390f76fdb79029603900524df2f0fbfd05bf18a3bbc74b9b05b2a6dc5938393c
SHA512 2a5b12b41d728ce30f1712d23226bbefe73111b786156b97126d6497ef234e78feaf6db08c7412eaa336c869b93ab239cd46b33cc31ff2c8497214cba5927753

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5 b7b9a82aee50d5c8d9c6c66d1d8d5cd5
SHA1 94f95dcebea91f1d4bbb1844a9d82b9ab00828cb
SHA256 2a7620ac89c616154501377eb9f8c5b274491662a687c51278812ab7617afe6a
SHA512 2f5816e31f10243b8d0a849b9cbc8d20918f51238f5c902af5c1ec1665b44c79f3c1c80e388c1753dbedf147cf5a3a03da262653eba6f3ef3a9fb8b38db86a0b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 a6a0160f7dee79a316edde54d910ebaa
SHA1 9b374842b8954e8b27a06f22f1c0de15ea768c31
SHA256 f3646358e7a0d83e1140296fb384dc20e38a165f8f086cf240ace49e27e5b7c0
SHA512 1510a5ac8bb5d3f7a3be3397ef5266861df92bb72d013d8f9432dae8f4310d7d494e67f6b49b712519fb96ef085eb1e233eb8bd4e42bfee10faf0f6da64e4b98

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 0a1a3f74bb96aac97a52723592baed05
SHA1 ef0ac03638f36be8efbfecf9d573f14a7b74ee78
SHA256 b4ff8ac676c6a8ffd097ab7b0fcf033e2a51092cdf2c4691714c4f85175bace1
SHA512 6743c25f9e4d3a9662d201119ebee958a999fdac894ebf43dc3bb6e4aa60056389fe8497c312e9523a08090a59058934c853434a473193c6d08354616334b362

memory/101324-1252-0x0000000000400000-0x0000000002F57000-memory.dmp

memory/100872-1263-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\B9C.exe

MD5 c8d618535dcead6a5b5c3d66bb6ef917
SHA1 35d8465bdb3fee6128245b977e37bba76c99ba43
SHA256 2eab3c88dcab4917e95f8ee32d0ce531100dc456f0d30447b86c94d70dd8daaa
SHA512 881ffbdd8c699ca7300e9bd606abd69b05aa0d2e9deab32b0549c47b58f7cd7aac44f9968c41a2416361e9e46e9521c9fed65e486ac1023af162afd749248050

memory/101388-1284-0x0000000002E18000-0x0000000002E28000-memory.dmp

memory/101388-1288-0x0000000002B80000-0x0000000002CCA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\B9C.exe

MD5 c8d618535dcead6a5b5c3d66bb6ef917
SHA1 35d8465bdb3fee6128245b977e37bba76c99ba43
SHA256 2eab3c88dcab4917e95f8ee32d0ce531100dc456f0d30447b86c94d70dd8daaa
SHA512 881ffbdd8c699ca7300e9bd606abd69b05aa0d2e9deab32b0549c47b58f7cd7aac44f9968c41a2416361e9e46e9521c9fed65e486ac1023af162afd749248050

\Users\Admin\AppData\Local\Temp\db.dll

MD5 4d11bd6f3172584b3fda0e9efcaf0ddb
SHA1 0581c7f087f6538a1b6d4f05d928c1df24236944
SHA256 73314490c80e5eb09f586e12c1f035c44f11aeaa41d2f4b08aca476132578930
SHA512 6a023496e7ee03c2ff8e3ba445c7d7d5bfe6a1e1e1bae5c17dcf41e78ede84a166966579bf8cc7be7450d2516f869713907775e863670b10eb60c092492d2d04

memory/101388-1319-0x0000000000400000-0x0000000002B7F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\db.dat

MD5 2a03e19d5af7606e8e9a5c86a5a78880
SHA1 93945d1e473713d83316aaa9a297a417fb302db7
SHA256 15dea69e1ef7f927cdf56b7b6a31189b825b0cef06eeca4811006e7bf9d02c9a
SHA512 f263945af96cb0040d521832038862bfa05f4c9efd0eda0ae511dc1ab0ced179e0e64a3054de42bdc159db2520ff45f2b56ac08a7ac59bd01b74bbdf4b013f93

memory/102152-1345-0x0000000004A70000-0x0000000004B81000-memory.dmp

memory/102152-1347-0x0000000004910000-0x000000000496E000-memory.dmp

memory/102104-1361-0x00007FF71B324060-mapping.dmp

memory/101988-1360-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\26e15fcd-0646-4888-b7ff-859165e02f8f\build2.exe

MD5 8d7db6982df46c3b0f0cc879d892c08a
SHA1 64e3d7ab4793aeb05d18a82159c579e05c45fd71
SHA256 116e15e94d70dde65f91f155580bd9b34ff1956b9ebe1a53b6bce912b281c1f6
SHA512 0eeb242e6e1356a2a9e3183f12439ef36fac40e27ac8c0df5f591c7b3c1324145627c92c3fee15aedee2c1e8cc3b966152af73a33196166c2c1bfbbd979bdb5b

memory/101068-1364-0x00000226918A0000-0x00000226918ED000-memory.dmp

memory/101068-1366-0x0000022691AF0000-0x0000022691B62000-memory.dmp

memory/2524-1370-0x000001E9B0C80000-0x000001E9B0CF2000-memory.dmp

C:\Users\Admin\AppData\Local\26e15fcd-0646-4888-b7ff-859165e02f8f\build2.exe

MD5 8d7db6982df46c3b0f0cc879d892c08a
SHA1 64e3d7ab4793aeb05d18a82159c579e05c45fd71
SHA256 116e15e94d70dde65f91f155580bd9b34ff1956b9ebe1a53b6bce912b281c1f6
SHA512 0eeb242e6e1356a2a9e3183f12439ef36fac40e27ac8c0df5f591c7b3c1324145627c92c3fee15aedee2c1e8cc3b966152af73a33196166c2c1bfbbd979bdb5b

memory/68-1397-0x000001F447870000-0x000001F4478E2000-memory.dmp

memory/102104-1398-0x0000012ECB110000-0x0000012ECB182000-memory.dmp

memory/2376-1400-0x0000022CE2670000-0x0000022CE26E2000-memory.dmp

memory/2348-1402-0x000001AD22470000-0x000001AD224E2000-memory.dmp

memory/1180-1404-0x0000023439AE0000-0x0000023439B52000-memory.dmp

memory/696-1405-0x00000177F1980000-0x00000177F19F2000-memory.dmp

memory/102152-1424-0x0000000004910000-0x000000000496E000-memory.dmp

memory/1372-1425-0x000001E475800000-0x000001E475872000-memory.dmp

memory/1968-1426-0x0000020C0F860000-0x0000020C0F8D2000-memory.dmp

memory/1172-1427-0x000002607EE10000-0x000002607EE82000-memory.dmp

memory/1408-1428-0x000001547A660000-0x000001547A6D2000-memory.dmp

memory/2604-1429-0x00000256E9400000-0x00000256E9472000-memory.dmp

memory/101388-1431-0x0000000002E18000-0x0000000002E28000-memory.dmp

memory/2596-1430-0x000002449BB00000-0x000002449BB72000-memory.dmp

memory/101388-1432-0x0000000000400000-0x0000000002B7F000-memory.dmp

memory/102132-1433-0x0000000000000000-mapping.dmp

memory/1096-1435-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\31E2.dll

MD5 ebb1c38433c66a086061b2b5935a677e
SHA1 af3e641fadc223a8765000a713a5b5f2c0ecfd96
SHA256 09eb900b6bd693d38f5bc76aa13a947d5221f5eee83387a4d389e2bb52caf995
SHA512 e3d076b7ed0b57316d88567fc49409b6d8fe4644b1e46c024ae62f85bf486a8367f14933baebaa78049770e7ed6f2d1ea61aef9805a2bcfb47c8ec05490f3c0e

memory/102052-1471-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\3D0E.exe

MD5 2f60ef19334491b0800f818fe87c42f9
SHA1 a54541d84ffdd10c71053a4da5d2635129c1a5fa
SHA256 2b29136f3622d331c86855ab5298b22a996d7f894bd45c4d4a61a9460dfe2095
SHA512 97459e126e789b9425e8c6ea4afbc1f61732f98bad1539af6455e7154c72affd2b5ee2a6ad258a0da0fd19fd6b332c797be06aa2a757c0df90eed4f4426d5fe4

memory/100852-1484-0x0000000000400000-0x0000000000537000-memory.dmp

memory/101324-1489-0x0000000004CB0000-0x00000000050A4000-memory.dmp

\Users\Admin\AppData\Local\Temp\31E2.dll

MD5 ebb1c38433c66a086061b2b5935a677e
SHA1 af3e641fadc223a8765000a713a5b5f2c0ecfd96
SHA256 09eb900b6bd693d38f5bc76aa13a947d5221f5eee83387a4d389e2bb52caf995
SHA512 e3d076b7ed0b57316d88567fc49409b6d8fe4644b1e46c024ae62f85bf486a8367f14933baebaa78049770e7ed6f2d1ea61aef9805a2bcfb47c8ec05490f3c0e

memory/101324-1493-0x0000000000400000-0x0000000002F57000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3D0E.exe

MD5 2f60ef19334491b0800f818fe87c42f9
SHA1 a54541d84ffdd10c71053a4da5d2635129c1a5fa
SHA256 2b29136f3622d331c86855ab5298b22a996d7f894bd45c4d4a61a9460dfe2095
SHA512 97459e126e789b9425e8c6ea4afbc1f61732f98bad1539af6455e7154c72affd2b5ee2a6ad258a0da0fd19fd6b332c797be06aa2a757c0df90eed4f4426d5fe4

memory/102148-1539-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\5068.exe

MD5 1209eb5280434f121fa888e5d9665bef
SHA1 d85f7e6ab0486f32bc51c772215488dcfb299941
SHA256 30a2d83678b8e9a39debd957bf3e4dea8d97423fe19ca7b21a87ff1434f9b3d3
SHA512 79cdf89289871b1a89b65bb36353437d4c2fa11fb0bc6a4c60affc43ad1eab6d836c17a9a0bccdbaff365713b508b130af9eda338acb08d03af8fad0a1fa5c9b

C:\Users\Admin\AppData\Local\Temp\5068.exe

MD5 1209eb5280434f121fa888e5d9665bef
SHA1 d85f7e6ab0486f32bc51c772215488dcfb299941
SHA256 30a2d83678b8e9a39debd957bf3e4dea8d97423fe19ca7b21a87ff1434f9b3d3
SHA512 79cdf89289871b1a89b65bb36353437d4c2fa11fb0bc6a4c60affc43ad1eab6d836c17a9a0bccdbaff365713b508b130af9eda338acb08d03af8fad0a1fa5c9b

memory/101056-1589-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\3D0E.exe

MD5 2f60ef19334491b0800f818fe87c42f9
SHA1 a54541d84ffdd10c71053a4da5d2635129c1a5fa
SHA256 2b29136f3622d331c86855ab5298b22a996d7f894bd45c4d4a61a9460dfe2095
SHA512 97459e126e789b9425e8c6ea4afbc1f61732f98bad1539af6455e7154c72affd2b5ee2a6ad258a0da0fd19fd6b332c797be06aa2a757c0df90eed4f4426d5fe4

memory/100936-1661-0x000000000042135D-mapping.dmp

C:\Users\Admin\AppData\Local\26e15fcd-0646-4888-b7ff-859165e02f8f\build2.exe

MD5 8d7db6982df46c3b0f0cc879d892c08a
SHA1 64e3d7ab4793aeb05d18a82159c579e05c45fd71
SHA256 116e15e94d70dde65f91f155580bd9b34ff1956b9ebe1a53b6bce912b281c1f6
SHA512 0eeb242e6e1356a2a9e3183f12439ef36fac40e27ac8c0df5f591c7b3c1324145627c92c3fee15aedee2c1e8cc3b966152af73a33196166c2c1bfbbd979bdb5b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9DD071679C018B2129B579E1C864DC6B

MD5 2a19f127c884a25313164fdc016e77ff
SHA1 f248dbfafd9cff2885c07046dfc81e253e33b040
SHA256 8e22d962831fc7630b56b67c845b351e4184f360c726fe70e2503f1c72d7e0b7
SHA512 902635d34112c1e1371c3f2897eb3616771cfa46e5380cca5d929f2696b4410808de561c80f5d856909d5e8cb8c0ad2b1400baca26bfa77395743d19861bb5ac

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9DD071679C018B2129B579E1C864DC6B

MD5 8d9d7e5e2560999a1e3ca0b0150da517
SHA1 3015fe565cd5e212b697e1a53c81a2a51a761b17
SHA256 2282f813182ba0adf3de02b59be7c3274da0f021a99f3f86762dd220d1558428
SHA512 9e2e03264fe260850a443bf803395cd78a4dff5184370643fd83d8ff34240272bb9dd16c9b0ef5474b88f1b1e1e5030d1e3898f6651a620770b9a00ef88329c1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_BE25D0FE540174A4A87E2295C663329D

MD5 5a87acec8d6f410e56daa22f24221ef0
SHA1 e2ca8371bd15fb3271ba0a38f6b75df08cbe4087
SHA256 f81f9a5b8b47bb6d5fbfd9fc508d91a297d71b73467f6ed31239d7d8ce0c8ff1
SHA512 c925e76d3bc7682ddb6fadb71ec69462dfcd63f6cedc9ba7c2b547bce3da0545a68c03fec50d5155f94964ed0f7ac3e906ba2dfe146057582fbe7a8dd6bd446e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_BE25D0FE540174A4A87E2295C663329D

MD5 22802ed98690891f00794d0a2c5105cb
SHA1 648b807316915f3bb1d149d920f0bc2437ae1701
SHA256 5256d6286b17212bc6f96ba8f0db92e1d7f657608896f37872c67e04e7f7ebaa
SHA512 a7d7d446bfe313555c8def01f6ce985b0563bbd5b5cc57eb8543b6a1176240db258c135d86e043147461dd2a4859048e33f082ba53089ddcf4e75d5085e0b111

memory/3096-1739-0x0000000000000000-mapping.dmp

memory/102536-1762-0x0000000000000000-mapping.dmp

memory/102836-1793-0x0000000000000000-mapping.dmp

memory/103208-1838-0x0000000000000000-mapping.dmp