Analysis Overview
SHA256
6967ae85bfa1e72317ffed9593170e3b48e7644b79b3b4aae49d1bccb8284835
Threat Level: Known bad
The file file.exe was found to be: Known bad.
Malicious Activity Summary
Detects Smokeloader packer
RedLine payload
Socelars payload
NetSupport
SmokeLoader
RedLine
Glupteba
DcRat
Raccoon
Suspicious use of NtCreateUserProcessOtherParentProcess
Socelars
Executes dropped EXE
UPX packed file
Modifies Windows Firewall
Downloads MZ/PE file
VMProtect packed file
Reads user/profile data of web browsers
Drops startup file
Loads dropped DLL
Checks computer location settings
Legitimate hosting services abused for malware hosting/C2
Accesses 2FA software files, possible credential harvesting
Checks installed software on the system
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Suspicious use of SetThreadContext
Launches sc.exe
Drops file in Windows directory
Drops file in Program Files directory
Program crash
Enumerates physical storage devices
Suspicious use of SetWindowsHookEx
Suspicious use of FindShellTrayWindow
Suspicious use of AdjustPrivilegeToken
Suspicious use of SendNotifyMessage
Enumerates system info in registry
Suspicious behavior: MapViewOfSection
Script User-Agent
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Checks SCSI registry key(s)
Creates scheduled task(s)
Checks processor information in registry
Suspicious behavior: GetForegroundWindowSpam
Kills process with taskkill
Delays execution with timeout.exe
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-09-09 11:35
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-09-09 11:35
Reported
2022-09-09 11:37
Platform
win7-20220812-en
Max time kernel
150s
Max time network
45s
Command Line
Signatures
Detects Smokeloader packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
SmokeLoader
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
Network
Files
memory/1884-54-0x0000000075571000-0x0000000075573000-memory.dmp
memory/1884-56-0x00000000001B0000-0x00000000001B9000-memory.dmp
memory/1884-55-0x00000000002AE000-0x00000000002BE000-memory.dmp
memory/1884-57-0x0000000000400000-0x0000000002B7E000-memory.dmp
memory/1884-58-0x0000000000400000-0x0000000002B7E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-09-09 11:35
Reported
2022-09-09 11:37
Platform
win10v2004-20220812-en
Max time kernel
150s
Max time network
152s
Command Line
Signatures
DcRat
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Detects Smokeloader packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Glupteba
NetSupport
Raccoon
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
Socelars
Socelars payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 3064 created 936 | N/A | C:\Windows\system32\svchost.exe | C:\Users\Admin\AppData\Local\Temp\28BE.exe |
| PID 3064 created 5488 | N/A | C:\Windows\system32\svchost.exe | C:\Windows\rss\csrss.exe |
| PID 3064 created 5488 | N/A | C:\Windows\system32\svchost.exe | C:\Windows\rss\csrss.exe |
| PID 3064 created 5488 | N/A | C:\Windows\system32\svchost.exe | C:\Windows\rss\csrss.exe |
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\EE33.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\1302.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\4AED.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\autorunsuport.ini.lnk | C:\Users\Admin\AppData\Local\Temp\EE33.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" | C:\Users\Admin\AppData\Local\Temp\28BE.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" | C:\Windows\rss\csrss.exe | N/A |
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3732 set thread context of 97116 | N/A | C:\Users\Admin\AppData\Local\Temp\C1BE.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
| PID 97236 set thread context of 97332 | N/A | C:\Users\Admin\AppData\Local\Temp\D016.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
| PID 97144 set thread context of 97424 | N/A | C:\Users\Admin\AppData\Local\Temp\D3A2.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
| PID 1960 set thread context of 97544 | N/A | C:\Users\Admin\AppData\Local\Temp\D911.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\aieoplapobidheellikiicjfpamacpfd\background.html | C:\Users\Admin\AppData\Local\Temp\F6A0.exe | N/A |
| File created | C:\Program Files\aieoplapobidheellikiicjfpamacpfd\icon.png | C:\Users\Admin\AppData\Local\Temp\F6A0.exe | N/A |
| File created | C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\content.js | C:\Users\Admin\AppData\Local\Temp\F6A0.exe | N/A |
| File created | C:\Program Files\aieoplapobidheellikiicjfpamacpfd\manifest.json | C:\Users\Admin\AppData\Local\Temp\F6A0.exe | N/A |
| File opened for modification | C:\Program Files\aieoplapobidheellikiicjfpamacpfd\icon.png | C:\Users\Admin\AppData\Local\Temp\7385.exe | N/A |
| File opened for modification | C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\pad-nopadding.js | C:\Users\Admin\AppData\Local\Temp\7385.exe | N/A |
| File created | C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\jquery-3.3.1.min.js | C:\Users\Admin\AppData\Local\Temp\F6A0.exe | N/A |
| File created | C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\pad-nopadding.js | C:\Users\Admin\AppData\Local\Temp\F6A0.exe | N/A |
| File opened for modification | C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\background.js | C:\Users\Admin\AppData\Local\Temp\F6A0.exe | N/A |
| File opened for modification | C:\Program Files\aieoplapobidheellikiicjfpamacpfd\background.html | C:\Users\Admin\AppData\Local\Temp\7385.exe | N/A |
| File opened for modification | C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\background.js | C:\Users\Admin\AppData\Local\Temp\7385.exe | N/A |
| File opened for modification | C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\content.js | C:\Users\Admin\AppData\Local\Temp\7385.exe | N/A |
| File created | C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\mode-ecb.js | C:\Users\Admin\AppData\Local\Temp\F6A0.exe | N/A |
| File opened for modification | C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\aes.js | C:\Users\Admin\AppData\Local\Temp\7385.exe | N/A |
| File opened for modification | C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\jquery-3.3.1.min.js | C:\Users\Admin\AppData\Local\Temp\7385.exe | N/A |
| File opened for modification | C:\Program Files\aieoplapobidheellikiicjfpamacpfd\manifest.json | C:\Users\Admin\AppData\Local\Temp\7385.exe | N/A |
| File created | C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\aes.js | C:\Users\Admin\AppData\Local\Temp\F6A0.exe | N/A |
| File created | C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\background.js | C:\Users\Admin\AppData\Local\Temp\F6A0.exe | N/A |
| File opened for modification | C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\mode-ecb.js | C:\Users\Admin\AppData\Local\Temp\7385.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\rss | C:\Users\Admin\AppData\Local\Temp\28BE.exe | N/A |
| File created | C:\Windows\rss\csrss.exe | C:\Users\Admin\AppData\Local\Temp\28BE.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Enumerates physical storage devices
Program crash
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\5CD6.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\8639.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\5CD6.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\5CD6.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\8639.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\8639.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)" | C:\Users\Admin\AppData\Local\Temp\28BE.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2941 = "Sao Tome Daylight Time" | C:\Users\Admin\AppData\Local\Temp\28BE.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-41 = "E. South America Daylight Time" | C:\Users\Admin\AppData\Local\Temp\28BE.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1841 = "Russia TZ 4 Daylight Time" | C:\Users\Admin\AppData\Local\Temp\28BE.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time" | C:\Users\Admin\AppData\Local\Temp\28BE.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time" | C:\Users\Admin\AppData\Local\Temp\28BE.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time" | C:\Users\Admin\AppData\Local\Temp\28BE.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1842 = "Russia TZ 4 Standard Time" | C:\Users\Admin\AppData\Local\Temp\28BE.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-362 = "GTB Standard Time" | C:\Users\Admin\AppData\Local\Temp\28BE.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time" | C:\Users\Admin\AppData\Local\Temp\28BE.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2491 = "Aus Central W. Daylight Time" | C:\Users\Admin\AppData\Local\Temp\28BE.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1801 = "Line Islands Daylight Time" | C:\Users\Admin\AppData\Local\Temp\28BE.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time" | C:\Users\Admin\AppData\Local\Temp\28BE.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2411 = "Marquesas Daylight Time" | C:\Users\Admin\AppData\Local\Temp\28BE.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1412 = "Syria Standard Time" | C:\Users\Admin\AppData\Local\Temp\28BE.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time" | C:\Users\Admin\AppData\Local\Temp\28BE.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time" | C:\Users\Admin\AppData\Local\Temp\28BE.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time" | C:\Users\Admin\AppData\Local\Temp\28BE.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2141 = "Transbaikal Daylight Time" | C:\Users\Admin\AppData\Local\Temp\28BE.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time" | C:\Users\Admin\AppData\Local\Temp\28BE.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time" | C:\Users\Admin\AppData\Local\Temp\28BE.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-232 = "Hawaiian Standard Time" | C:\Users\Admin\AppData\Local\Temp\28BE.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)" | C:\Users\Admin\AppData\Local\Temp\28BE.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time" | C:\Users\Admin\AppData\Local\Temp\28BE.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time" | C:\Users\Admin\AppData\Local\Temp\28BE.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time" | C:\Users\Admin\AppData\Local\Temp\28BE.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2772 = "Omsk Standard Time" | C:\Users\Admin\AppData\Local\Temp\28BE.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time" | C:\Users\Admin\AppData\Local\Temp\28BE.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time" | C:\Users\Admin\AppData\Local\Temp\28BE.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2611 = "Bougainville Daylight Time" | C:\Users\Admin\AppData\Local\Temp\28BE.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time" | C:\Users\Admin\AppData\Local\Temp\28BE.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time" | C:\Users\Admin\AppData\Local\Temp\28BE.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)" | C:\Users\Admin\AppData\Local\Temp\28BE.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2791 = "Novosibirsk Daylight Time" | C:\Users\Admin\AppData\Local\Temp\28BE.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time" | C:\Users\Admin\AppData\Local\Temp\28BE.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time" | C:\Users\Admin\AppData\Local\Temp\28BE.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time" | C:\Users\Admin\AppData\Local\Temp\28BE.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time" | C:\Users\Admin\AppData\Local\Temp\28BE.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time" | C:\Users\Admin\AppData\Local\Temp\28BE.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time" | C:\Users\Admin\AppData\Local\Temp\28BE.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2042 = "Eastern Standard Time (Mexico)" | C:\Users\Admin\AppData\Local\Temp\28BE.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time" | C:\Users\Admin\AppData\Local\Temp\28BE.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time" | C:\Users\Admin\AppData\Local\Temp\28BE.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time" | C:\Users\Admin\AppData\Local\Temp\28BE.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2531 = "Chatham Islands Daylight Time" | C:\Users\Admin\AppData\Local\Temp\28BE.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time" | C:\Users\Admin\AppData\Local\Temp\28BE.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time" | C:\Users\Admin\AppData\Local\Temp\28BE.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2871 = "Magallanes Daylight Time" | C:\Users\Admin\AppData\Local\Temp\28BE.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time" | C:\Users\Admin\AppData\Local\Temp\28BE.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time" | C:\Users\Admin\AppData\Local\Temp\28BE.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time" | C:\Users\Admin\AppData\Local\Temp\28BE.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-3052 = "Qyzylorda Standard Time" | C:\Users\Admin\AppData\Local\Temp\28BE.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1911 = "Russia TZ 10 Daylight Time" | C:\Users\Admin\AppData\Local\Temp\28BE.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1892 = "Russia TZ 3 Standard Time" | C:\Users\Admin\AppData\Local\Temp\28BE.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time" | C:\Users\Admin\AppData\Local\Temp\28BE.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time" | C:\Users\Admin\AppData\Local\Temp\28BE.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2001 = "Cabo Verde Daylight Time" | C:\Users\Admin\AppData\Local\Temp\28BE.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time" | C:\Users\Admin\AppData\Local\Temp\28BE.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2872 = "Magallanes Standard Time" | C:\Users\Admin\AppData\Local\Temp\28BE.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1411 = "Syria Daylight Time" | C:\Users\Admin\AppData\Local\Temp\28BE.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time" | C:\Users\Admin\AppData\Local\Temp\28BE.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2162 = "Altai Standard Time" | C:\Users\Admin\AppData\Local\Temp\28BE.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time" | C:\Users\Admin\AppData\Local\Temp\28BE.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time" | C:\Users\Admin\AppData\Local\Temp\28BE.exe | N/A |
Script User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\5331.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\F6A0.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\F6A0.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\F6A0.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\F6A0.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\F6A0.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\F6A0.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\F6A0.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\F6A0.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\F6A0.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\F6A0.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\F6A0.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\F6A0.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
C:\Users\Admin\AppData\Local\Temp\5331.exe
C:\Users\Admin\AppData\Local\Temp\5331.exe
C:\Users\Admin\AppData\Local\Temp\5CD6.exe
C:\Users\Admin\AppData\Local\Temp\5CD6.exe
C:\Users\Admin\AppData\Local\Temp\8639.exe
C:\Users\Admin\AppData\Local\Temp\8639.exe
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\A163.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\A163.dll
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 5036 -ip 5036
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5036 -s 1272
C:\Users\Admin\AppData\Local\Temp\C1BE.exe
C:\Users\Admin\AppData\Local\Temp\C1BE.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3732 -ip 3732
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3732 -s 93828
C:\Users\Admin\AppData\Local\Temp\D016.exe
C:\Users\Admin\AppData\Local\Temp\D016.exe
C:\Users\Admin\AppData\Local\Temp\D3A2.exe
C:\Users\Admin\AppData\Local\Temp\D3A2.exe
C:\Users\Admin\AppData\Local\Temp\D911.exe
C:\Users\Admin\AppData\Local\Temp\D911.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Users\Admin\AppData\Local\Temp\DF3C.exe
C:\Users\Admin\AppData\Local\Temp\DF3C.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Users\Admin\AppData\Local\Temp\E5E5.exe
C:\Users\Admin\AppData\Local\Temp\E5E5.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 540 -p 97440 -ip 97440
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 97440 -s 428
C:\Users\Admin\AppData\Local\Temp\EE33.exe
C:\Users\Admin\AppData\Local\Temp\EE33.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Users\Admin\AppData\Local\Temp\F6A0.exe
C:\Users\Admin\AppData\Local\Temp\F6A0.exe
C:\Users\Admin\AppData\Roaming\windows_update_253746\client32.exe
"C:\Users\Admin\AppData\Roaming\windows_update_253746\client32.exe"
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Users\Admin\AppData\Local\Temp\1302.exe
C:\Users\Admin\AppData\Local\Temp\1302.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\1302.exe
"C:\Users\Admin\AppData\Local\Temp\1302.exe" -h
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 97544 -ip 97544
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im AppLaunch.exe /f & timeout /t 6 & del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe" & del C:\PrograData\*.dll & exit
C:\Windows\SysWOW64\taskkill.exe
taskkill /im AppLaunch.exe /f
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 97544 -s 1768
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
C:\Windows\SysWOW64\timeout.exe
timeout /t 6
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Users\Admin\AppData\Local\Temp\28BE.exe
C:\Users\Admin\AppData\Local\Temp\28BE.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd0a804f50,0x7ffd0a804f60,0x7ffd0a804f70
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
C:\Users\Admin\AppData\Local\Temp\28BE.exe
"C:\Users\Admin\AppData\Local\Temp\28BE.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1604,12135978019067335241,15664577641248412644,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1696 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1604,12135978019067335241,15664577641248412644,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2036 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1604,12135978019067335241,15664577641248412644,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2320 /prefetch:8
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1604,12135978019067335241,15664577641248412644,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3132 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1604,12135978019067335241,15664577641248412644,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2940 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1604,12135978019067335241,15664577641248412644,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3608 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1604,12135978019067335241,15664577641248412644,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4004 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1604,12135978019067335241,15664577641248412644,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4672 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1604,12135978019067335241,15664577641248412644,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4624 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1604,12135978019067335241,15664577641248412644,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4792 /prefetch:8
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 97344 -ip 97344
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 97344 -s 760
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
C:\Users\Admin\AppData\Local\Temp\4AED.exe
C:\Users\Admin\AppData\Local\Temp\4AED.exe
C:\Users\Admin\AppData\Local\Temp\4AED.exe
"C:\Users\Admin\AppData\Local\Temp\4AED.exe" -h
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1604,12135978019067335241,15664577641248412644,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5284 /prefetch:8
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1604,12135978019067335241,15664577641248412644,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5248 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1604,12135978019067335241,15664577641248412644,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5308 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1604,12135978019067335241,15664577641248412644,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3892 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1604,12135978019067335241,15664577641248412644,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4900 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1604,12135978019067335241,15664577641248412644,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5348 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1604,12135978019067335241,15664577641248412644,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4788 /prefetch:1
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Users\Admin\AppData\Local\Temp\7385.exe
C:\Users\Admin\AppData\Local\Temp\7385.exe
C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\tor.exe
"C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\tor.exe" --nt-service -f "C:\Users\Admin\AppData\Local\Temp\csrss\tor\torrc" --Log "notice file C:\Users\Admin\AppData\Local\Temp\csrss\tor\log.txt"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WmiPrvSE D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\SysWOW64\sc.exe
sc sdset WmiPrvSE D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd0b094f50,0x7ffd0b094f60,0x7ffd0b094f70
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1900,17443844971990817147,10088696692801823,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3000 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1900,17443844971990817147,10088696692801823,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2464 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1900,17443844971990817147,10088696692801823,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3524 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1900,17443844971990817147,10088696692801823,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2456 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1900,17443844971990817147,10088696692801823,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1964 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1900,17443844971990817147,10088696692801823,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1928 /prefetch:2
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1900,17443844971990817147,10088696692801823,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4028 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1900,17443844971990817147,10088696692801823,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4768 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1900,17443844971990817147,10088696692801823,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4816 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1900,17443844971990817147,10088696692801823,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5076 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1900,17443844971990817147,10088696692801823,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5328 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1900,17443844971990817147,10088696692801823,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5296 /prefetch:8
C:\Users\Admin\AppData\Local\Temp\B830.exe
C:\Users\Admin\AppData\Local\Temp\B830.exe
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 568 -p 7800 -ip 7800
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 7800 -s 424
Network
| Country | Destination | Domain | Proto |
| US | 209.197.3.8:80 | tcp | |
| US | 8.8.8.8:53 | monsutiur4.com | udp |
| NL | 185.237.206.60:80 | monsutiur4.com | tcp |
| IE | 13.69.239.72:443 | tcp | |
| US | 8.8.8.8:53 | nusurionuy5ff.at | udp |
| US | 8.8.8.8:53 | moroitomo4.net | udp |
| US | 8.8.8.8:53 | susuerulianita1.net | udp |
| US | 8.8.8.8:53 | cucumbetuturel4.com | udp |
| US | 8.8.8.8:53 | nunuslushau.com | udp |
| US | 8.8.8.8:53 | linislominyt11.at | udp |
| PA | 190.140.74.43:80 | linislominyt11.at | tcp |
| PA | 190.140.74.43:80 | linislominyt11.at | tcp |
| PA | 190.140.74.43:80 | linislominyt11.at | tcp |
| PA | 190.140.74.43:80 | linislominyt11.at | tcp |
| RU | 85.192.63.184:80 | 85.192.63.184 | tcp |
| PA | 190.140.74.43:80 | linislominyt11.at | tcp |
| PA | 190.140.74.43:80 | linislominyt11.at | tcp |
| US | 209.197.3.8:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| RU | 78.153.144.84:27027 | tcp | |
| PA | 190.140.74.43:80 | linislominyt11.at | tcp |
| PA | 190.140.74.43:80 | linislominyt11.at | tcp |
| PA | 190.140.74.43:80 | linislominyt11.at | tcp |
| PA | 190.140.74.43:80 | linislominyt11.at | tcp |
| US | 8.8.8.8:53 | ojinsei.com | udp |
| RU | 178.20.42.96:80 | ojinsei.com | tcp |
| PA | 190.140.74.43:80 | linislominyt11.at | tcp |
| RU | 178.20.42.96:80 | ojinsei.com | tcp |
| RU | 178.20.42.96:80 | ojinsei.com | tcp |
| RU | 178.20.42.96:80 | ojinsei.com | tcp |
| RU | 178.20.42.96:80 | ojinsei.com | tcp |
| RU | 178.20.42.96:80 | ojinsei.com | tcp |
| RU | 178.20.42.96:80 | ojinsei.com | tcp |
| RU | 178.20.42.96:80 | ojinsei.com | tcp |
| RU | 178.20.42.96:80 | ojinsei.com | tcp |
| RU | 178.20.42.96:80 | ojinsei.com | tcp |
| RU | 178.20.42.96:80 | ojinsei.com | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 140.82.113.4:443 | github.com | tcp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| RU | 178.20.42.96:80 | ojinsei.com | tcp |
| RU | 178.20.42.96:80 | ojinsei.com | tcp |
| RU | 176.122.23.55:11768 | tcp | |
| RU | 178.20.42.96:80 | ojinsei.com | tcp |
| US | 8.8.8.8:53 | www.oovi.it | udp |
| IT | 217.64.195.204:80 | www.oovi.it | tcp |
| RU | 178.20.42.96:80 | ojinsei.com | tcp |
| RU | 178.20.42.96:80 | ojinsei.com | tcp |
| RU | 178.20.42.96:80 | ojinsei.com | tcp |
| PA | 190.140.74.43:80 | linislominyt11.at | tcp |
| RU | 178.20.42.96:80 | ojinsei.com | tcp |
| RU | 178.20.42.96:80 | ojinsei.com | tcp |
| US | 8.8.8.8:53 | edx.ajn322aa.com | udp |
| US | 104.21.90.234:443 | edx.ajn322aa.com | tcp |
| RU | 178.20.42.96:80 | ojinsei.com | tcp |
| RU | 85.192.63.184:80 | 85.192.63.184 | tcp |
| RU | 178.20.42.96:80 | ojinsei.com | tcp |
| RU | 178.20.42.96:80 | ojinsei.com | tcp |
| RU | 78.153.144.6:2510 | tcp | |
| PA | 190.140.74.43:80 | linislominyt11.at | tcp |
| VN | 103.89.90.61:34589 | tcp | |
| PA | 190.140.74.43:80 | linislominyt11.at | tcp |
| RU | 178.20.42.96:80 | ojinsei.com | tcp |
| RU | 178.20.42.96:80 | ojinsei.com | tcp |
| RU | 178.20.42.96:80 | ojinsei.com | tcp |
| US | 8.8.8.8:53 | www.mp3infonice.top | udp |
| US | 8.8.8.8:53 | t.me | udp |
| DE | 161.97.101.255:80 | www.mp3infonice.top | tcp |
| RU | 178.20.42.96:80 | ojinsei.com | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| DE | 116.203.167.5:80 | 116.203.167.5 | tcp |
| PA | 190.140.74.43:80 | linislominyt11.at | tcp |
| US | 8.8.8.8:53 | www.icodeps.com | udp |
| US | 8.8.8.8:53 | ysanhumeg1.com | udp |
| US | 149.28.253.196:443 | www.icodeps.com | tcp |
| PA | 190.140.74.43:80 | linislominyt11.at | tcp |
| DE | 116.202.180.202:80 | 116.202.180.202 | tcp |
| US | 140.82.15.232:2970 | ysanhumeg1.com | tcp |
| US | 8.8.8.8:53 | geo.netsupportsoftware.com | udp |
| GB | 195.171.92.116:80 | geo.netsupportsoftware.com | tcp |
| US | 8.8.8.8:53 | i.xyzgamei.com | udp |
| US | 104.21.86.228:443 | i.xyzgamei.com | tcp |
| US | 8.8.8.8:53 | b.game2723.com | udp |
| US | 188.114.97.0:443 | b.game2723.com | tcp |
| PA | 190.140.74.43:80 | linislominyt11.at | tcp |
| US | 8.8.8.8:53 | ocsp.trust-provider.cn | udp |
| NL | 47.246.48.208:80 | ocsp.trust-provider.cn | tcp |
| US | 8.8.8.8:53 | v.xyzgamev.com | udp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| PA | 190.140.74.43:80 | linislominyt11.at | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 8.8.8.8:53 | iplogger.org | udp |
| DE | 148.251.234.83:443 | iplogger.org | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 8.8.8.8:53 | trustnero.com | udp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.1.91:443 | trustnero.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 8.8.8.8:53 | fakermet.com | udp |
| US | 172.67.202.54:443 | fakermet.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| PA | 190.140.74.43:80 | linislominyt11.at | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| PA | 190.140.74.43:80 | linislominyt11.at | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 8.8.8.8:53 | accounts.google.com | udp |
| US | 8.8.8.8:53 | m.facebook.com | udp |
| US | 8.8.8.8:53 | clients2.google.com | udp |
| US | 8.8.8.8:53 | fergrt.s3.us-west-2.amazonaws.com | udp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| NL | 142.251.36.45:443 | accounts.google.com | udp |
| NL | 172.217.168.238:443 | clients2.google.com | udp |
| US | 52.218.182.81:443 | fergrt.s3.us-west-2.amazonaws.com | tcp |
| ES | 31.13.83.36:443 | m.facebook.com | tcp |
| NL | 142.251.36.45:443 | accounts.google.com | tcp |
| NL | 172.217.168.238:443 | clients2.google.com | tcp |
| US | 52.218.182.81:443 | fergrt.s3.us-west-2.amazonaws.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 8.8.8.8:53 | edgedl.me.gvt1.com | udp |
| US | 34.104.35.123:80 | edgedl.me.gvt1.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 8.8.8.8:53 | secure.facebook.com | udp |
| ES | 31.13.83.17:443 | secure.facebook.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 8.8.8.8:53 | apis.google.com | udp |
| NL | 216.58.214.14:443 | apis.google.com | tcp |
| US | 8.8.8.8:53 | www.sadcsaheec.xyz | udp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.82.236:80 | www.sadcsaheec.xyz | tcp |
| US | 8.8.8.8:53 | www.facebook.com | udp |
| NL | 157.240.247.35:443 | www.facebook.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| PA | 190.140.74.43:80 | linislominyt11.at | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:443 | dns.google | tcp |
| US | 8.8.8.8:443 | dns.google | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| PA | 190.140.74.43:80 | linislominyt11.at | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 8.8.8.8:53 | 6dfda937-f511-485f-9904-b9b295d239a9.uuid.dg2sz7pxs7llf2t25fsbutlvvrjij4pmojugn75cmxnvoshmju6dzcad.onion | udp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 8.8.8.8:53 | sofolisk.com | udp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 8.8.8.8:443 | dns.google | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 8.8.8.8:443 | dns.google | udp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| NL | 216.58.208.99:443 | ssl.gstatic.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 8.8.8.8:53 | stun2.l.google.com | udp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| SG | 74.125.24.127:19302 | stun2.l.google.com | udp |
| US | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| PA | 190.140.74.43:80 | linislominyt11.at | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 149.28.253.196:443 | www.icodeps.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| DE | 148.251.234.83:443 | iplogger.org | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| JP | 118.27.6.60:443 | tcp | |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| JP | 182.168.156.112:9001 | tcp | |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| PA | 190.140.74.43:80 | linislominyt11.at | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| LU | 107.189.7.243:9100 | tcp | |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| FR | 62.210.97.21:443 | tcp | |
| NL | 51.158.187.110:443 | tcp | |
| US | 51.81.209.126:443 | tcp | |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| N/A | 127.0.0.1:31464 | tcp | |
| N/A | 127.0.0.1:50286 | tcp | |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| ES | 31.13.83.36:443 | m.facebook.com | tcp |
| NL | 142.251.36.45:443 | accounts.google.com | udp |
| NL | 142.251.36.45:443 | accounts.google.com | tcp |
| US | 8.8.8.8:53 | fergrt.s3.us-west-2.amazonaws.com | udp |
| NL | 172.217.168.238:443 | clients2.google.com | udp |
| NL | 172.217.168.238:443 | clients2.google.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 52.218.132.97:443 | fergrt.s3.us-west-2.amazonaws.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| N/A | 127.0.0.1:31464 | tcp | |
| ES | 31.13.83.17:443 | secure.facebook.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.82.236:80 | www.sadcsaheec.xyz | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| NL | 157.240.247.35:443 | www.facebook.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 8.8.8.8:443 | dns.google | tcp |
| US | 8.8.8.8:443 | dns.google | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 8.8.8.8:443 | dns.google | udp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| NL | 142.250.179.163:443 | update.googleapis.com | tcp |
| RU | 178.20.42.96:80 | ojinsei.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| NL | 216.58.208.99:443 | ssl.gstatic.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| PA | 190.140.74.43:80 | linislominyt11.at | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
| US | 104.21.40.196:443 | v.xyzgamev.com | tcp |
Files
memory/4900-132-0x0000000002D99000-0x0000000002DAA000-memory.dmp
memory/4900-133-0x0000000002D10000-0x0000000002D19000-memory.dmp
memory/4900-134-0x0000000000400000-0x0000000002B7E000-memory.dmp
memory/4900-135-0x0000000000400000-0x0000000002B7E000-memory.dmp
memory/5036-136-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\5331.exe
| MD5 | 7ee26071eccd624c58596bb7e356c8c3 |
| SHA1 | 2c61201ce36e236c30c350bfae82fa74d21c89cb |
| SHA256 | 69fde9e6449ac4f800f47188a10e04db056c0b570876b254c93d3a8d94d2016b |
| SHA512 | 7cd53f55077e02d2982c15963da8ad0ccb254063196c21a8cc0803f474a86ddf5e8ba48c4d6b8f74020074b76319fde082fcc12bedd7c69e75e3597f2ec5f562 |
C:\Users\Admin\AppData\Local\Temp\5331.exe
| MD5 | 7ee26071eccd624c58596bb7e356c8c3 |
| SHA1 | 2c61201ce36e236c30c350bfae82fa74d21c89cb |
| SHA256 | 69fde9e6449ac4f800f47188a10e04db056c0b570876b254c93d3a8d94d2016b |
| SHA512 | 7cd53f55077e02d2982c15963da8ad0ccb254063196c21a8cc0803f474a86ddf5e8ba48c4d6b8f74020074b76319fde082fcc12bedd7c69e75e3597f2ec5f562 |
memory/4992-139-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\5CD6.exe
| MD5 | 5190580f9a7a5d20354eb020c54519b7 |
| SHA1 | 0271a96e09df347a540c4135e3217f9aeeb9a6c7 |
| SHA256 | 74334bd66296cd06cceb1f3fb116dca85a598c6bef3d646f108164edb61498bc |
| SHA512 | 6f5db65cdc46df01421a2a1922751f49710385a1d02e63c7634387835f77ed15f1b0ea6a4cdf037598dc71cb4562a1a06ae99252cc5a5a3219d421447e0a8c2e |
C:\Users\Admin\AppData\Local\Temp\5CD6.exe
| MD5 | 5190580f9a7a5d20354eb020c54519b7 |
| SHA1 | 0271a96e09df347a540c4135e3217f9aeeb9a6c7 |
| SHA256 | 74334bd66296cd06cceb1f3fb116dca85a598c6bef3d646f108164edb61498bc |
| SHA512 | 6f5db65cdc46df01421a2a1922751f49710385a1d02e63c7634387835f77ed15f1b0ea6a4cdf037598dc71cb4562a1a06ae99252cc5a5a3219d421447e0a8c2e |
memory/4992-142-0x0000000002DC9000-0x0000000002DDA000-memory.dmp
memory/4992-143-0x0000000002C80000-0x0000000002C89000-memory.dmp
memory/5036-144-0x0000000005130000-0x00000000056D4000-memory.dmp
memory/4992-145-0x0000000000400000-0x0000000002B7E000-memory.dmp
memory/5036-147-0x0000000002390000-0x00000000023CE000-memory.dmp
memory/5036-146-0x0000000000C59000-0x0000000000C8A000-memory.dmp
memory/5036-148-0x0000000004F90000-0x0000000005022000-memory.dmp
memory/5036-149-0x0000000000400000-0x000000000086C000-memory.dmp
memory/5036-150-0x0000000005770000-0x0000000005D88000-memory.dmp
memory/5036-151-0x0000000005D90000-0x0000000005E9A000-memory.dmp
memory/5036-152-0x0000000002B00000-0x0000000002B12000-memory.dmp
memory/4992-153-0x0000000000400000-0x0000000002B7E000-memory.dmp
memory/5036-154-0x0000000005030000-0x000000000506C000-memory.dmp
memory/3776-155-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\8639.exe
| MD5 | 07a8bc35ca1632555dd46a6867f22dd7 |
| SHA1 | 1feb0c4429e48bb877e9110c05a0a6022a3abacd |
| SHA256 | 496e0e9f8c0f4239f5ef32035a628fba3179722ae147e016ae72ae3a6d067433 |
| SHA512 | 195fc4cb02c51bb0c4095c1657ab927e9efe5299067132c331fd183beae07a7cb4acf8824efa344ecba139bb20869894924701944241cc004a414092b8ef479b |
C:\Users\Admin\AppData\Local\Temp\8639.exe
| MD5 | 07a8bc35ca1632555dd46a6867f22dd7 |
| SHA1 | 1feb0c4429e48bb877e9110c05a0a6022a3abacd |
| SHA256 | 496e0e9f8c0f4239f5ef32035a628fba3179722ae147e016ae72ae3a6d067433 |
| SHA512 | 195fc4cb02c51bb0c4095c1657ab927e9efe5299067132c331fd183beae07a7cb4acf8824efa344ecba139bb20869894924701944241cc004a414092b8ef479b |
memory/5036-158-0x0000000000C59000-0x0000000000C8A000-memory.dmp
memory/3776-159-0x0000000002E19000-0x0000000002E2A000-memory.dmp
memory/3776-160-0x0000000000400000-0x0000000002B7E000-memory.dmp
memory/5036-161-0x0000000006000000-0x0000000006066000-memory.dmp
memory/1640-162-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\A163.dll
| MD5 | 43aa7572e12c1a6abc3693dc21263f3c |
| SHA1 | 03407624fb118ad0ee214a597e034e96da83dc5b |
| SHA256 | 3446ad49d514cc5847556076ec821602a48353fd794647b0df6092a2e5db0e8c |
| SHA512 | f7660d97d2f7882b99d931b13c7a0b5ef74350dffffbdcdad01259e19cbd5fa3d6597c6d96b0fa937a07e6b88f6e977f2e3f1fd1c50dfa22c32151061d773071 |
memory/5036-165-0x0000000006840000-0x0000000006A02000-memory.dmp
memory/1420-164-0x0000000000000000-mapping.dmp
memory/5036-166-0x0000000006A10000-0x0000000006F3C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\A163.dll
| MD5 | 43aa7572e12c1a6abc3693dc21263f3c |
| SHA1 | 03407624fb118ad0ee214a597e034e96da83dc5b |
| SHA256 | 3446ad49d514cc5847556076ec821602a48353fd794647b0df6092a2e5db0e8c |
| SHA512 | f7660d97d2f7882b99d931b13c7a0b5ef74350dffffbdcdad01259e19cbd5fa3d6597c6d96b0fa937a07e6b88f6e977f2e3f1fd1c50dfa22c32151061d773071 |
memory/3776-168-0x0000000000400000-0x0000000002B7E000-memory.dmp
memory/1420-169-0x0000000002AA0000-0x0000000002BBC000-memory.dmp
memory/1420-170-0x0000000002CE0000-0x0000000002DFC000-memory.dmp
memory/5036-171-0x0000000000C59000-0x0000000000C8A000-memory.dmp
memory/5036-172-0x0000000000400000-0x000000000086C000-memory.dmp
memory/1420-173-0x0000000000FF0000-0x00000000010AE000-memory.dmp
memory/1420-174-0x0000000002E00000-0x0000000002EA9000-memory.dmp
memory/1420-177-0x0000000002CE0000-0x0000000002DFC000-memory.dmp
memory/3732-178-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\C1BE.exe
| MD5 | 8cd2e049bdbb6954e7ddaed3eb63dc79 |
| SHA1 | f0715504d291f42753ccb8cb340524369da00d49 |
| SHA256 | f513aa13542f7444fffa8d5a826633fee3a90ff90e9d6fdc7c67211ab1d51205 |
| SHA512 | 45539036718e6d90581d5e007f45e4e283d0a570c60b33c18194c3e1467dfe586a89da62f358ef959ab695bc0e45e77c57f88deb1433a4763ee640fb8d1e501b |
C:\Users\Admin\AppData\Local\Temp\C1BE.exe
| MD5 | 8cd2e049bdbb6954e7ddaed3eb63dc79 |
| SHA1 | f0715504d291f42753ccb8cb340524369da00d49 |
| SHA256 | f513aa13542f7444fffa8d5a826633fee3a90ff90e9d6fdc7c67211ab1d51205 |
| SHA512 | 45539036718e6d90581d5e007f45e4e283d0a570c60b33c18194c3e1467dfe586a89da62f358ef959ab695bc0e45e77c57f88deb1433a4763ee640fb8d1e501b |
memory/97116-181-0x0000000000000000-mapping.dmp
memory/97116-182-0x0000000000400000-0x0000000000460000-memory.dmp
memory/97236-187-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\D016.exe
| MD5 | d000c34a574ee1bf2354bf4aa1c59cc7 |
| SHA1 | 27f15cc0088b1a66c68d07f82f544c843c22e56e |
| SHA256 | 3db9830c78a0b03c58c7f227685044fd2b2d6aefc5de015e65ea1d9021343c33 |
| SHA512 | 434548fde748bf3c8ed7b15891d1c9de6d68ad7a5fe7603835a2128ce783ff97e32a8f9f4c78ad905c618f8737cb00ce49a671cfa2013463042b2d98709758ca |
C:\Users\Admin\AppData\Local\Temp\D016.exe
| MD5 | d000c34a574ee1bf2354bf4aa1c59cc7 |
| SHA1 | 27f15cc0088b1a66c68d07f82f544c843c22e56e |
| SHA256 | 3db9830c78a0b03c58c7f227685044fd2b2d6aefc5de015e65ea1d9021343c33 |
| SHA512 | 434548fde748bf3c8ed7b15891d1c9de6d68ad7a5fe7603835a2128ce783ff97e32a8f9f4c78ad905c618f8737cb00ce49a671cfa2013463042b2d98709758ca |
memory/97144-190-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\D3A2.exe
| MD5 | 5495cf6ada457e516aef6bfc42d98da0 |
| SHA1 | 52ead008a515dcaf06a06dd18ddeb54dc35a07f0 |
| SHA256 | 5326d545bd52b40f4b9631b95dba418a9ea5c394259bcc68901f402a334c8c8d |
| SHA512 | 5c26ae915f4a6a50b78007199275a8df01ffb2728638ff24b23ae42c3862a9060d22f710dc71bcb437abf6a9e4e9b523b54a6fe4d84808da912b8b5fe87f4a05 |
C:\Users\Admin\AppData\Local\Temp\D3A2.exe
| MD5 | 5495cf6ada457e516aef6bfc42d98da0 |
| SHA1 | 52ead008a515dcaf06a06dd18ddeb54dc35a07f0 |
| SHA256 | 5326d545bd52b40f4b9631b95dba418a9ea5c394259bcc68901f402a334c8c8d |
| SHA512 | 5c26ae915f4a6a50b78007199275a8df01ffb2728638ff24b23ae42c3862a9060d22f710dc71bcb437abf6a9e4e9b523b54a6fe4d84808da912b8b5fe87f4a05 |
memory/1960-193-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\D911.exe
| MD5 | 8f583554c303d00fe3397a1c04da6fbc |
| SHA1 | 0c771437de5046bc9ceefd5321dffb2a1d06ba75 |
| SHA256 | e49558e423b68f78714658817dd0b7eef7fc91273272593ed48013c1438a423b |
| SHA512 | 0c097b2d3ef0093ae5807b188acd07dfb3e21d43ae90198b13f42613558433d7f34031a4f4fc0b283ce71f090f606b75f10df49952df62e7241f7dc63bcbdba8 |
C:\Users\Admin\AppData\Local\Temp\D911.exe
| MD5 | 8f583554c303d00fe3397a1c04da6fbc |
| SHA1 | 0c771437de5046bc9ceefd5321dffb2a1d06ba75 |
| SHA256 | e49558e423b68f78714658817dd0b7eef7fc91273272593ed48013c1438a423b |
| SHA512 | 0c097b2d3ef0093ae5807b188acd07dfb3e21d43ae90198b13f42613558433d7f34031a4f4fc0b283ce71f090f606b75f10df49952df62e7241f7dc63bcbdba8 |
memory/97344-197-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\DF3C.exe
| MD5 | 36cc006abe801af7acd1dd7a8e6d3936 |
| SHA1 | c822f159daeb7cd5ba00e20548773394fc2ac85d |
| SHA256 | 9f10ab9e407a18b8911ad89d975ba1d37d456becf252463d4d44f2c83689efa9 |
| SHA512 | 1baf12085a0e2808b0895f1aa78b6ae722399a90cc3716cd869f99c8a9baa8a88d80c93088cf43943161ca9e4180935e880caa0e9d980065094051e972a593b4 |
C:\Users\Admin\AppData\Local\Temp\DF3C.exe
| MD5 | 36cc006abe801af7acd1dd7a8e6d3936 |
| SHA1 | c822f159daeb7cd5ba00e20548773394fc2ac85d |
| SHA256 | 9f10ab9e407a18b8911ad89d975ba1d37d456becf252463d4d44f2c83689efa9 |
| SHA512 | 1baf12085a0e2808b0895f1aa78b6ae722399a90cc3716cd869f99c8a9baa8a88d80c93088cf43943161ca9e4180935e880caa0e9d980065094051e972a593b4 |
memory/97332-198-0x0000000000400000-0x0000000000428000-memory.dmp
memory/97332-196-0x0000000000000000-mapping.dmp
memory/97424-205-0x0000000000000000-mapping.dmp
memory/97424-206-0x0000000000400000-0x0000000000420000-memory.dmp
memory/97440-207-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\E5E5.exe
| MD5 | 5a5818de3886c0ffaa7071e70d003eb6 |
| SHA1 | c4e62f5c1b674a80fdd48b6fe37e3e59607a7f2e |
| SHA256 | 4fac63cb799cc9da04b4332602ad9b4538dd2429ffcf2f8065ec598b2c6aa6a2 |
| SHA512 | 07ba01218477f3cacd9846b16d9dc742b0e8b4afdca43aba3696b742063316d7fe0c15504c8ebbee20f3f4b42532960698308b45e5d2b55fcc536af28522b8ca |
C:\Users\Admin\AppData\Local\Temp\E5E5.exe
| MD5 | 5a5818de3886c0ffaa7071e70d003eb6 |
| SHA1 | c4e62f5c1b674a80fdd48b6fe37e3e59607a7f2e |
| SHA256 | 4fac63cb799cc9da04b4332602ad9b4538dd2429ffcf2f8065ec598b2c6aa6a2 |
| SHA512 | 07ba01218477f3cacd9846b16d9dc742b0e8b4afdca43aba3696b742063316d7fe0c15504c8ebbee20f3f4b42532960698308b45e5d2b55fcc536af28522b8ca |
memory/97440-214-0x0000000140000000-0x0000000140608000-memory.dmp
memory/97544-219-0x0000000000400000-0x000000000045D000-memory.dmp
memory/97544-217-0x0000000000000000-mapping.dmp
memory/97544-225-0x0000000000400000-0x000000000045D000-memory.dmp
memory/97624-226-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\EE33.exe
| MD5 | 789598a08bc57fea514d9ffd8f072b71 |
| SHA1 | 7fc3b548b599eca588b54a5d78378be24ba4fc91 |
| SHA256 | 6a9677534228b1e25cb6b978f465b98c19b08844ea9b559e7538f7ff45bb04c8 |
| SHA512 | 6bf941b0a72bd9d0ec56b834b9c090d9dbbb4f30e8e63a1d984638e6bfa391d49e99d69cb89ec4de564ed8222dc8ee22ca5708640a52e1e50b8ca1e0d36adf5b |
C:\Users\Admin\AppData\Local\Temp\EE33.exe
| MD5 | 789598a08bc57fea514d9ffd8f072b71 |
| SHA1 | 7fc3b548b599eca588b54a5d78378be24ba4fc91 |
| SHA256 | 6a9677534228b1e25cb6b978f465b98c19b08844ea9b559e7538f7ff45bb04c8 |
| SHA512 | 6bf941b0a72bd9d0ec56b834b9c090d9dbbb4f30e8e63a1d984638e6bfa391d49e99d69cb89ec4de564ed8222dc8ee22ca5708640a52e1e50b8ca1e0d36adf5b |
memory/97344-229-0x0000000002DB9000-0x0000000002DCA000-memory.dmp
memory/97344-230-0x0000000002BF0000-0x0000000002C00000-memory.dmp
memory/97784-232-0x0000000000000000-mapping.dmp
memory/97344-231-0x0000000000400000-0x0000000002B7E000-memory.dmp
memory/97824-233-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\F6A0.exe
| MD5 | 9e9e7ad2a575a1ee322b618cb9cfdf05 |
| SHA1 | 42dba5e712f382a684deb20ededef154c74b24bc |
| SHA256 | 1a90eaf03ec44e61a6ee97be6b8757cc12b9d0a5c2904fa3652d651a92bbd6f1 |
| SHA512 | 0c48cc0988b1153d5442a0409911be9dbee1db5b2ea1d3f12847b12a4e70eb9416600ee079eac58d0c3ac628d388c6037574278f69d0e8e69f7c9f24a127bc5e |
memory/97852-236-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\windows_update_253746\client32.exe
| MD5 | b2b27ccaded1db8ee341d5bd2c373044 |
| SHA1 | 1d0f9ca17c0961eeabffc2ba54e16854a13c8a9d |
| SHA256 | e4985a9739637aad4a409c95da33a1304dc17fd6ef9046159b27c0b137a57911 |
| SHA512 | 0987b11aa110ea6b6f4fe4361e587aff010508251644bdfb681a578fa4726fb56af039d55e0b74682fd7031414f665a98656186b220264c122a47d23751dcee1 |
C:\Users\Admin\AppData\Roaming\windows_update_253746\pcicapi.dll
| MD5 | 34dfb87e4200d852d1fb45dc48f93cfc |
| SHA1 | 35b4e73fb7c8d4c3fefb90b7e7dc19f3e653c641 |
| SHA256 | 2d6c6200508c0797e6542b195c999f3485c4ef76551aa3c65016587788ba1703 |
| SHA512 | f5bb4e700322cbaa5069244812a9b6ce6899ce15b4fd6384a3e8be421e409e4526b2f67fe210394cd47c4685861faf760eff9af77209100b82b2e0655581c9b2 |
C:\Users\Admin\AppData\Roaming\windows_update_253746\PCICL32.dll
| MD5 | d3d39180e85700f72aaae25e40c125ff |
| SHA1 | f3404ef6322f5c6e7862b507d05b8f4b7f1c7d15 |
| SHA256 | 38684adb2183bf320eb308a96cdbde8d1d56740166c3e2596161f42a40fa32d5 |
| SHA512 | 471ac150e93a182d135e5483d6b1492f08a49f5ccab420732b87210f2188be1577ceaaee4ce162a7acceff5c17cdd08dc51b1904228275f6bbde18022ec79d2f |
C:\Users\Admin\AppData\Roaming\windows_update_253746\client32.exe
| MD5 | b2b27ccaded1db8ee341d5bd2c373044 |
| SHA1 | 1d0f9ca17c0961eeabffc2ba54e16854a13c8a9d |
| SHA256 | e4985a9739637aad4a409c95da33a1304dc17fd6ef9046159b27c0b137a57911 |
| SHA512 | 0987b11aa110ea6b6f4fe4361e587aff010508251644bdfb681a578fa4726fb56af039d55e0b74682fd7031414f665a98656186b220264c122a47d23751dcee1 |
C:\Users\Admin\AppData\Local\Temp\F6A0.exe
| MD5 | 9e9e7ad2a575a1ee322b618cb9cfdf05 |
| SHA1 | 42dba5e712f382a684deb20ededef154c74b24bc |
| SHA256 | 1a90eaf03ec44e61a6ee97be6b8757cc12b9d0a5c2904fa3652d651a92bbd6f1 |
| SHA512 | 0c48cc0988b1153d5442a0409911be9dbee1db5b2ea1d3f12847b12a4e70eb9416600ee079eac58d0c3ac628d388c6037574278f69d0e8e69f7c9f24a127bc5e |
C:\Users\Admin\AppData\Roaming\windows_update_253746\pcicapi.dll
| MD5 | 34dfb87e4200d852d1fb45dc48f93cfc |
| SHA1 | 35b4e73fb7c8d4c3fefb90b7e7dc19f3e653c641 |
| SHA256 | 2d6c6200508c0797e6542b195c999f3485c4ef76551aa3c65016587788ba1703 |
| SHA512 | f5bb4e700322cbaa5069244812a9b6ce6899ce15b4fd6384a3e8be421e409e4526b2f67fe210394cd47c4685861faf760eff9af77209100b82b2e0655581c9b2 |
C:\Users\Admin\AppData\Roaming\windows_update_253746\msvcr100.dll
| MD5 | 0e37fbfa79d349d672456923ec5fbbe3 |
| SHA1 | 4e880fc7625ccf8d9ca799d5b94ce2b1e7597335 |
| SHA256 | 8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18 |
| SHA512 | 2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630 |
C:\Users\Admin\AppData\Roaming\windows_update_253746\msvcr100.dll
| MD5 | 0e37fbfa79d349d672456923ec5fbbe3 |
| SHA1 | 4e880fc7625ccf8d9ca799d5b94ce2b1e7597335 |
| SHA256 | 8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18 |
| SHA512 | 2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630 |
C:\Users\Admin\AppData\Roaming\windows_update_253746\MSVCR100.dll
| MD5 | 0e37fbfa79d349d672456923ec5fbbe3 |
| SHA1 | 4e880fc7625ccf8d9ca799d5b94ce2b1e7597335 |
| SHA256 | 8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18 |
| SHA512 | 2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630 |
C:\Users\Admin\AppData\Roaming\windows_update_253746\client32.ini
| MD5 | 874c5276a1fc02b5c6d8de8a84840b39 |
| SHA1 | 14534f690a2bd59c9dffa2e0ec6d8d7bf6d7d532 |
| SHA256 | 65f069cb4c4cb4986a5b175ac24d6db46ac443372afc59ce8d17e4a8aa4a5ee2 |
| SHA512 | eb5bfe008f98abb855d2f5eee8f31e14c864af05561b7c31f2f454ca8e91518fa091c0bf6b2432a27ca3a4be1a1edd1ce1ec5f60ac37e25a873a9c0211bdb498 |
C:\Users\Admin\AppData\Roaming\windows_update_253746\HTCTL32.DLL
| MD5 | c94005d2dcd2a54e40510344e0bb9435 |
| SHA1 | 55b4a1620c5d0113811242c20bd9870a1e31d542 |
| SHA256 | 3c072532bf7674d0c5154d4d22a9d9c0173530c0d00f69911cdbc2552175d899 |
| SHA512 | 2e6f673864a54b1dcad9532ef9b18a9c45c0844f1f53e699fade2f41e43fa5cbc9b8e45e6f37b95f84cf6935a96fba2950ee3e0e9542809fd288fefba34ddd6a |
C:\Users\Admin\AppData\Roaming\windows_update_253746\HTCTL32.DLL
| MD5 | c94005d2dcd2a54e40510344e0bb9435 |
| SHA1 | 55b4a1620c5d0113811242c20bd9870a1e31d542 |
| SHA256 | 3c072532bf7674d0c5154d4d22a9d9c0173530c0d00f69911cdbc2552175d899 |
| SHA512 | 2e6f673864a54b1dcad9532ef9b18a9c45c0844f1f53e699fade2f41e43fa5cbc9b8e45e6f37b95f84cf6935a96fba2950ee3e0e9542809fd288fefba34ddd6a |
C:\Users\Admin\AppData\Roaming\windows_update_253746\NSM.LIC
| MD5 | cf5c9379d49e8627b9adc7c902298212 |
| SHA1 | f49d19ca9bc87c0bc3c85a3651716eb9a457bc7e |
| SHA256 | 2e944bcfca261a5bc15f012077dc00837b81295f5c19ef8417ad6b65ebdabc71 |
| SHA512 | 64ef0c20d0e1b6afb9ca9b262397b03dd5051b54a76decaa088b3e932a6ad93a4f6045f3c9ee4c852d3302c374f42a6f7c481287d3507740ec37a09d512b0d6e |
C:\Users\Admin\AppData\Roaming\windows_update_253746\PCICHEK.DLL
| MD5 | 104b30fef04433a2d2fd1d5f99f179fe |
| SHA1 | ecb08e224a2f2772d1e53675bedc4b2c50485a41 |
| SHA256 | 956b9fa960f913cce3137089c601f3c64cc24c54614b02bba62abb9610a985dd |
| SHA512 | 5efcaa8c58813c3a0a6026cd7f3b34ad4fb043fd2d458db2e914429be2b819f1ac74e2d35e4439601cf0cb50fcdcafdcf868da328eaaeec15b0a4a6b8b2c218f |
C:\Users\Admin\AppData\Roaming\windows_update_253746\pcichek.dll
| MD5 | 104b30fef04433a2d2fd1d5f99f179fe |
| SHA1 | ecb08e224a2f2772d1e53675bedc4b2c50485a41 |
| SHA256 | 956b9fa960f913cce3137089c601f3c64cc24c54614b02bba62abb9610a985dd |
| SHA512 | 5efcaa8c58813c3a0a6026cd7f3b34ad4fb043fd2d458db2e914429be2b819f1ac74e2d35e4439601cf0cb50fcdcafdcf868da328eaaeec15b0a4a6b8b2c218f |
C:\Users\Admin\AppData\Roaming\windows_update_253746\PCICL32.DLL
| MD5 | d3d39180e85700f72aaae25e40c125ff |
| SHA1 | f3404ef6322f5c6e7862b507d05b8f4b7f1c7d15 |
| SHA256 | 38684adb2183bf320eb308a96cdbde8d1d56740166c3e2596161f42a40fa32d5 |
| SHA512 | 471ac150e93a182d135e5483d6b1492f08a49f5ccab420732b87210f2188be1577ceaaee4ce162a7acceff5c17cdd08dc51b1904228275f6bbde18022ec79d2f |
memory/98012-252-0x0000000000000000-mapping.dmp
memory/97784-253-0x0000000001080000-0x0000000001087000-memory.dmp
memory/97824-255-0x0000000000400000-0x000000000058E000-memory.dmp
memory/98012-256-0x0000000000BB0000-0x0000000000BBF000-memory.dmp
memory/97784-254-0x0000000000C30000-0x0000000000C3B000-memory.dmp
memory/2456-257-0x0000000008080000-0x0000000008090000-memory.dmp
memory/2456-259-0x0000000008080000-0x0000000008090000-memory.dmp
memory/2456-260-0x0000000008080000-0x0000000008090000-memory.dmp
memory/2456-258-0x00000000073F0000-0x0000000007400000-memory.dmp
memory/2456-261-0x0000000008080000-0x0000000008090000-memory.dmp
memory/98204-263-0x0000000000000000-mapping.dmp
memory/2456-266-0x0000000008080000-0x0000000008090000-memory.dmp
memory/98012-265-0x0000000000BC0000-0x0000000000BC9000-memory.dmp
memory/2456-267-0x0000000008080000-0x0000000008090000-memory.dmp
memory/98204-270-0x0000000001190000-0x0000000001195000-memory.dmp
memory/2456-273-0x0000000008080000-0x0000000008090000-memory.dmp
memory/2456-280-0x0000000008080000-0x0000000008090000-memory.dmp
memory/2456-277-0x0000000008080000-0x0000000008090000-memory.dmp
memory/98284-276-0x0000000000000000-mapping.dmp
memory/98204-275-0x0000000001180000-0x0000000001189000-memory.dmp
memory/2456-271-0x0000000008080000-0x0000000008090000-memory.dmp
memory/97544-269-0x0000000060900000-0x0000000060992000-memory.dmp
memory/2456-268-0x0000000008080000-0x0000000008090000-memory.dmp
memory/2456-264-0x0000000008080000-0x0000000008090000-memory.dmp
memory/2456-262-0x0000000008080000-0x0000000008090000-memory.dmp
memory/2456-283-0x0000000008080000-0x0000000008090000-memory.dmp
memory/2456-286-0x0000000008080000-0x0000000008090000-memory.dmp
memory/98284-288-0x0000000000C90000-0x0000000000C9C000-memory.dmp
memory/2456-284-0x0000000007F20000-0x0000000007F30000-memory.dmp
memory/2456-282-0x0000000007F20000-0x0000000007F30000-memory.dmp
memory/2456-291-0x0000000008080000-0x0000000008090000-memory.dmp
memory/2456-293-0x0000000008080000-0x0000000008090000-memory.dmp
memory/97264-290-0x0000000000000000-mapping.dmp
memory/97424-296-0x0000000005970000-0x00000000059E6000-memory.dmp
memory/2456-297-0x0000000008080000-0x0000000008090000-memory.dmp
memory/97264-303-0x00000000004B0000-0x00000000004D2000-memory.dmp
memory/97264-306-0x0000000000480000-0x00000000004A7000-memory.dmp
memory/97424-307-0x0000000005A50000-0x0000000005A6E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1302.exe
| MD5 | 2f60ef19334491b0800f818fe87c42f9 |
| SHA1 | a54541d84ffdd10c71053a4da5d2635129c1a5fa |
| SHA256 | 2b29136f3622d331c86855ab5298b22a996d7f894bd45c4d4a61a9460dfe2095 |
| SHA512 | 97459e126e789b9425e8c6ea4afbc1f61732f98bad1539af6455e7154c72affd2b5ee2a6ad258a0da0fd19fd6b332c797be06aa2a757c0df90eed4f4426d5fe4 |
memory/97180-301-0x0000000000000000-mapping.dmp
memory/97456-300-0x0000000000000000-mapping.dmp
memory/98284-299-0x0000000000CA0000-0x0000000000CA6000-memory.dmp
memory/97180-310-0x0000000000590000-0x0000000000599000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1302.exe
| MD5 | 2f60ef19334491b0800f818fe87c42f9 |
| SHA1 | a54541d84ffdd10c71053a4da5d2635129c1a5fa |
| SHA256 | 2b29136f3622d331c86855ab5298b22a996d7f894bd45c4d4a61a9460dfe2095 |
| SHA512 | 97459e126e789b9425e8c6ea4afbc1f61732f98bad1539af6455e7154c72affd2b5ee2a6ad258a0da0fd19fd6b332c797be06aa2a757c0df90eed4f4426d5fe4 |
C:\ProgramData\nss3.dll
| MD5 | bfac4e3c5908856ba17d41edcd455a51 |
| SHA1 | 8eec7e888767aa9e4cca8ff246eb2aacb9170428 |
| SHA256 | e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78 |
| SHA512 | 2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66 |
C:\ProgramData\mozglue.dll
| MD5 | 8f73c08a9660691143661bf7332c3c27 |
| SHA1 | 37fa65dd737c50fda710fdbde89e51374d0c204a |
| SHA256 | 3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd |
| SHA512 | 0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89 |
memory/97720-317-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\1302.exe
| MD5 | 2f60ef19334491b0800f818fe87c42f9 |
| SHA1 | a54541d84ffdd10c71053a4da5d2635129c1a5fa |
| SHA256 | 2b29136f3622d331c86855ab5298b22a996d7f894bd45c4d4a61a9460dfe2095 |
| SHA512 | 97459e126e789b9425e8c6ea4afbc1f61732f98bad1539af6455e7154c72affd2b5ee2a6ad258a0da0fd19fd6b332c797be06aa2a757c0df90eed4f4426d5fe4 |
memory/97628-319-0x0000000000000000-mapping.dmp
memory/97628-322-0x0000000001180000-0x000000000118B000-memory.dmp
memory/97628-321-0x0000000001190000-0x0000000001196000-memory.dmp
memory/97180-320-0x00000000005A0000-0x00000000005A5000-memory.dmp
memory/98280-323-0x0000000000000000-mapping.dmp
memory/97124-324-0x0000000000000000-mapping.dmp
memory/97188-325-0x0000000000000000-mapping.dmp
memory/97208-326-0x0000000000000000-mapping.dmp
memory/98280-327-0x0000000000690000-0x0000000000697000-memory.dmp
memory/98280-328-0x0000000000680000-0x000000000068D000-memory.dmp
memory/2856-330-0x0000000000000000-mapping.dmp
memory/3104-329-0x0000000000000000-mapping.dmp
memory/3900-331-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\LocalLow\sqlite3.dll
| MD5 | dbf4f8dcefb8056dc6bae4b67ff810ce |
| SHA1 | bbac1dd8a07c6069415c04b62747d794736d0689 |
| SHA256 | 47b64311719000fa8c432165a0fdcdfed735d5b54977b052de915b1cbbbf9d68 |
| SHA512 | b572ca2f2e4a5cc93e4fcc7a18c0ae6df888aa4c55bc7da591e316927a4b5cfcbdda6e60018950be891ff3b26f470cc5cce34d217c2d35074322ab84c32a25d1 |
C:\Users\Admin\AppData\LocalLow\nss3.dll
| MD5 | f67d08e8c02574cbc2f1122c53bfb976 |
| SHA1 | 6522992957e7e4d074947cad63189f308a80fcf2 |
| SHA256 | c65b7afb05ee2b2687e6280594019068c3d3829182dfe8604ce4adf2116cc46e |
| SHA512 | 2e9d0a211d2b085514f181852fae6e7ca6aed4d29f396348bedb59c556e39621810a9a74671566a49e126ec73a60d0f781fa9085eb407df1eefd942c18853be5 |
C:\Users\Admin\AppData\LocalLow\mozglue.dll
| MD5 | f07d9977430e762b563eaadc2b94bbfa |
| SHA1 | da0a05b2b8d269fb73558dfcf0ed5c167f6d3877 |
| SHA256 | 4191faf7e5eb105a0f4c5c6ed3e9e9c71014e8aa39bbee313bc92d1411e9e862 |
| SHA512 | 6afd512e4099643bba3fc7700dd72744156b78b7bda10263ba1f8571d1e282133a433215a9222a7799f9824f244a2bc80c2816a62de1497017a4b26d562b7eaf |
memory/3900-335-0x0000000000750000-0x0000000000758000-memory.dmp
memory/3900-336-0x0000000000740000-0x000000000074B000-memory.dmp
memory/936-337-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\28BE.exe
| MD5 | f99d573625e45fc9d02bd27d30aa5839 |
| SHA1 | e12a9683a34b4e3d06d4f6d07851fa606a2a4556 |
| SHA256 | 14d138ed08a4f1c0850a93312cec9258bc5a0e8942b57a582e47c258b91cfac6 |
| SHA512 | 84b39b79549cf9d8b9e23c6c68f39f4a2453cd9322edf29c07534e3ae30a4524df937564a9c51c08f249be691aa97dca3a03e6f3677d6a3256d5e89b9293924d |
C:\Users\Admin\AppData\Local\Temp\28BE.exe
| MD5 | f99d573625e45fc9d02bd27d30aa5839 |
| SHA1 | e12a9683a34b4e3d06d4f6d07851fa606a2a4556 |
| SHA256 | 14d138ed08a4f1c0850a93312cec9258bc5a0e8942b57a582e47c258b91cfac6 |
| SHA512 | 84b39b79549cf9d8b9e23c6c68f39f4a2453cd9322edf29c07534e3ae30a4524df937564a9c51c08f249be691aa97dca3a03e6f3677d6a3256d5e89b9293924d |
memory/97344-340-0x0000000002DB9000-0x0000000002DCA000-memory.dmp
memory/3480-341-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\28BE.exe
| MD5 | f99d573625e45fc9d02bd27d30aa5839 |
| SHA1 | e12a9683a34b4e3d06d4f6d07851fa606a2a4556 |
| SHA256 | 14d138ed08a4f1c0850a93312cec9258bc5a0e8942b57a582e47c258b91cfac6 |
| SHA512 | 84b39b79549cf9d8b9e23c6c68f39f4a2453cd9322edf29c07534e3ae30a4524df937564a9c51c08f249be691aa97dca3a03e6f3677d6a3256d5e89b9293924d |
memory/936-343-0x0000000004DDE000-0x00000000051C7000-memory.dmp
memory/97344-344-0x0000000000400000-0x0000000002B7E000-memory.dmp
memory/936-345-0x00000000051D0000-0x0000000005A46000-memory.dmp
memory/97824-346-0x0000000000400000-0x000000000058E000-memory.dmp
\??\pipe\crashpad_2096_XQXTJKEGTLEJCUCO
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
| MD5 | eb12b384d6265240ddbf17207687c61c |
| SHA1 | 22b1587468fb41647d620cc4b0a14cc051a1ecc6 |
| SHA256 | c86a931924fbfc684cd0d1d34a29bb0a636f8019a7bf349b2f70ab493db89540 |
| SHA512 | a714b887b9931b04eefc2d7c6dd3b34d98c26d5bfd0818f07c68c518cd2a8684f138fa128bc83773b48051f86252bc971b74bbd8be188a5f9cfc9ea39ac799ca |
C:\Program Files\aieoplapobidheellikiicjfpamacpfd\icon.png
| MD5 | c8d8c174df68910527edabe6b5278f06 |
| SHA1 | 8ac53b3605fea693b59027b9b471202d150f266f |
| SHA256 | 9434dd7008059a60d6d5ced8c8a63ab5cae407e7152da98ca4dda408510f08f5 |
| SHA512 | d439e5124399d1901934319535b7156c0ca8d76b5aa4ddf1dd0b598d43582f6d23c16f96be74d3cd5fe764396da55ca51811d08695f356f12f7a8a71bcc7e45c |
C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\content.js
| MD5 | f79618c53614380c5fdc545699afe890 |
| SHA1 | 7804a4621cd9405b6def471f3ebedb07fb17e90a |
| SHA256 | f3f30c5c271f80b0a3a329b11d8e72eb404d0c0dc9c66fa162ca97ccaa1e963c |
| SHA512 | c4e0c4df6ac92351591859a7c4358b3dcd342e00051bf561e68e3fcc2c94fdd8d14bd0a042d88dca33f6c7e952938786378d804f56e84b4eab99e2a5fee96a4c |
C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\jquery-3.3.1.min.js
| MD5 | a09e13ee94d51c524b7e2a728c7d4039 |
| SHA1 | 0dc32db4aa9c5f03f3b38c47d883dbd4fed13aae |
| SHA256 | 160a426ff2894252cd7cebbdd6d6b7da8fcd319c65b70468f10b6690c45d02ef |
| SHA512 | f8da8f95b6ed33542a88af19028e18ae3d9ce25350a06bfc3fbf433ed2b38fefa5e639cddfdac703fc6caa7f3313d974b92a3168276b3a016ceb28f27db0714a |
C:\Program Files\aieoplapobidheellikiicjfpamacpfd\manifest.json
| MD5 | 6da6b303170ccfdca9d9e75abbfb59f3 |
| SHA1 | 1a8070080f50a303f73eba253ba49c1e6d400df6 |
| SHA256 | 66f5620e3bfe4692b14f62baad60e3269327327565ff8b2438e98ce8ed021333 |
| SHA512 | 872957b63e8a0d10791877e5d204022c08c8e8101807d7ebe6fd537d812ad09e14d8555ccf53dc00525a22c02773aa45b8fa643c05247fb0ce6012382855a89a |
C:\Program Files\aieoplapobidheellikiicjfpamacpfd\background.html
| MD5 | 9ffe618d587a0685d80e9f8bb7d89d39 |
| SHA1 | 8e9cae42c911027aafae56f9b1a16eb8dd7a739c |
| SHA256 | a1064146f622fe68b94cd65a0e8f273b583449fbacfd6fd75fec1eaaf2ec8d6e |
| SHA512 | a4e1f53d1e3bf0ff6893f188a510c6b3da37b99b52ddd560d4c90226cb14de6c9e311ee0a93192b1a26db2d76382eb2350dc30ab9db7cbd9ca0a80a507ea1a12 |
C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\mode-ecb.js
| MD5 | 23231681d1c6f85fa32e725d6d63b19b |
| SHA1 | f69315530b49ac743b0e012652a3a5efaed94f17 |
| SHA256 | 03164b1ac43853fecdbf988ce900016fb174cf65b03e41c0a9a7bf3a95e8c26a |
| SHA512 | 36860113871707a08401f29ab2828545932e57a4ae99e727d8ca2a9f85518d3db3a4e5e4d46ac2b6ba09494fa9727c033d77c36c4bdc376ae048541222724bc2 |
C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\pad-nopadding.js
| MD5 | 0f26002ee3b4b4440e5949a969ea7503 |
| SHA1 | 31fc518828fe4894e8077ec5686dce7b1ed281d7 |
| SHA256 | 282308ebc3702c44129438f8299839ca4d392a0a09fdf0737f08ef1e4aff937d |
| SHA512 | 4290a1aee5601fcbf1eb2beec9b4924c30cd218e94ae099b87ba72c9a4fa077e39d218fc723b8465d259028a6961cc07c0cd6896aa2f67e83f833ca023a80b11 |
C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\aes.js
| MD5 | 4ff108e4584780dce15d610c142c3e62 |
| SHA1 | 77e4519962e2f6a9fc93342137dbb31c33b76b04 |
| SHA256 | fc7e184beeda61bf6427938a84560f52348976bb55e807b224eb53930e97ef6a |
| SHA512 | d6eee0fc02205a3422c16ad120cad8d871563d8fcd4bde924654eac5a37026726328f9a47240cf89ed6c9e93ba5f89c833e84e65eee7db2b4d7d1b4240deaef2 |
memory/5296-365-0x0000000000000000-mapping.dmp
memory/5348-366-0x0000000000000000-mapping.dmp
memory/5488-369-0x0000000000000000-mapping.dmp
memory/5584-374-0x0000000000000000-mapping.dmp
memory/5660-375-0x0000000000000000-mapping.dmp
memory/5932-381-0x0000000000000000-mapping.dmp
memory/5900-379-0x0000000000000000-mapping.dmp
memory/6064-383-0x0000000000000000-mapping.dmp
memory/6420-386-0x0000000000000000-mapping.dmp
memory/6480-387-0x0000000000000000-mapping.dmp
memory/6596-392-0x0000000000000000-mapping.dmp
memory/6652-393-0x0000000000000000-mapping.dmp
memory/6692-399-0x0000000000000000-mapping.dmp
memory/6744-400-0x0000000000000000-mapping.dmp
memory/7800-405-0x0000000000000000-mapping.dmp