Malware Analysis Report

2025-06-16 01:50

Sample ID 220909-np1mnsgac8
Target file.exe
SHA256 6967ae85bfa1e72317ffed9593170e3b48e7644b79b3b4aae49d1bccb8284835
Tags
smokeloader backdoor trojan dcrat glupteba netsupport raccoon redline socelars 1337 567d5bff28c2a18132d2f88511f07435 mario_new nam5 discovery dropper evasion infostealer loader persistence rat spyware stealer upx vmprotect
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6967ae85bfa1e72317ffed9593170e3b48e7644b79b3b4aae49d1bccb8284835

Threat Level: Known bad

The file file.exe was found to be: Known bad.

Malicious Activity Summary

smokeloader backdoor trojan dcrat glupteba netsupport raccoon redline socelars 1337 567d5bff28c2a18132d2f88511f07435 mario_new nam5 discovery dropper evasion infostealer loader persistence rat spyware stealer upx vmprotect

Detects Smokeloader packer

RedLine payload

Socelars payload

NetSupport

SmokeLoader

RedLine

Glupteba

DcRat

Raccoon

Suspicious use of NtCreateUserProcessOtherParentProcess

Socelars

Executes dropped EXE

UPX packed file

Modifies Windows Firewall

Downloads MZ/PE file

VMProtect packed file

Reads user/profile data of web browsers

Drops startup file

Loads dropped DLL

Checks computer location settings

Legitimate hosting services abused for malware hosting/C2

Accesses 2FA software files, possible credential harvesting

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Suspicious use of SetThreadContext

Launches sc.exe

Drops file in Windows directory

Drops file in Program Files directory

Program crash

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

Enumerates system info in registry

Suspicious behavior: MapViewOfSection

Script User-Agent

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Checks SCSI registry key(s)

Creates scheduled task(s)

Checks processor information in registry

Suspicious behavior: GetForegroundWindowSpam

Kills process with taskkill

Delays execution with timeout.exe

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-09-09 11:35

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-09-09 11:35

Reported

2022-09-09 11:37

Platform

win7-20220812-en

Max time kernel

150s

Max time network

45s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Signatures

Detects Smokeloader packer

Description Indicator Process Target
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Checks SCSI registry key(s)

Description Indicator Process Target
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Network

N/A

Files

memory/1884-54-0x0000000075571000-0x0000000075573000-memory.dmp

memory/1884-56-0x00000000001B0000-0x00000000001B9000-memory.dmp

memory/1884-55-0x00000000002AE000-0x00000000002BE000-memory.dmp

memory/1884-57-0x0000000000400000-0x0000000002B7E000-memory.dmp

memory/1884-58-0x0000000000400000-0x0000000002B7E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-09-09 11:35

Reported

2022-09-09 11:37

Platform

win10v2004-20220812-en

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Signatures

DcRat

rat infostealer dcrat
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Detects Smokeloader packer

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Glupteba

loader dropper glupteba

NetSupport

rat netsupport

Raccoon

stealer raccoon

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Socelars

stealer socelars

Socelars payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 3064 created 936 N/A C:\Windows\system32\svchost.exe C:\Users\Admin\AppData\Local\Temp\28BE.exe
PID 3064 created 5488 N/A C:\Windows\system32\svchost.exe C:\Windows\rss\csrss.exe
PID 3064 created 5488 N/A C:\Windows\system32\svchost.exe C:\Windows\rss\csrss.exe
PID 3064 created 5488 N/A C:\Windows\system32\svchost.exe C:\Windows\rss\csrss.exe

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\EE33.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1302.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\4AED.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\autorunsuport.ini.lnk C:\Users\Admin\AppData\Local\Temp\EE33.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\windows_update_253746\client32.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\windows_update_253746\client32.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\windows_update_253746\client32.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\windows_update_253746\client32.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\windows_update_253746\client32.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\windows_update_253746\client32.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DF3C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DF3C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DF3C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\tor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\tor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\tor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\tor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\tor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\tor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\tor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\tor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\tor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\tor.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses 2FA software files, possible credential harvesting

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\28BE.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\aieoplapobidheellikiicjfpamacpfd\background.html C:\Users\Admin\AppData\Local\Temp\F6A0.exe N/A
File created C:\Program Files\aieoplapobidheellikiicjfpamacpfd\icon.png C:\Users\Admin\AppData\Local\Temp\F6A0.exe N/A
File created C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\content.js C:\Users\Admin\AppData\Local\Temp\F6A0.exe N/A
File created C:\Program Files\aieoplapobidheellikiicjfpamacpfd\manifest.json C:\Users\Admin\AppData\Local\Temp\F6A0.exe N/A
File opened for modification C:\Program Files\aieoplapobidheellikiicjfpamacpfd\icon.png C:\Users\Admin\AppData\Local\Temp\7385.exe N/A
File opened for modification C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\pad-nopadding.js C:\Users\Admin\AppData\Local\Temp\7385.exe N/A
File created C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\jquery-3.3.1.min.js C:\Users\Admin\AppData\Local\Temp\F6A0.exe N/A
File created C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\pad-nopadding.js C:\Users\Admin\AppData\Local\Temp\F6A0.exe N/A
File opened for modification C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\background.js C:\Users\Admin\AppData\Local\Temp\F6A0.exe N/A
File opened for modification C:\Program Files\aieoplapobidheellikiicjfpamacpfd\background.html C:\Users\Admin\AppData\Local\Temp\7385.exe N/A
File opened for modification C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\background.js C:\Users\Admin\AppData\Local\Temp\7385.exe N/A
File opened for modification C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\content.js C:\Users\Admin\AppData\Local\Temp\7385.exe N/A
File created C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\mode-ecb.js C:\Users\Admin\AppData\Local\Temp\F6A0.exe N/A
File opened for modification C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\aes.js C:\Users\Admin\AppData\Local\Temp\7385.exe N/A
File opened for modification C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\jquery-3.3.1.min.js C:\Users\Admin\AppData\Local\Temp\7385.exe N/A
File opened for modification C:\Program Files\aieoplapobidheellikiicjfpamacpfd\manifest.json C:\Users\Admin\AppData\Local\Temp\7385.exe N/A
File created C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\aes.js C:\Users\Admin\AppData\Local\Temp\F6A0.exe N/A
File created C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\background.js C:\Users\Admin\AppData\Local\Temp\F6A0.exe N/A
File opened for modification C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\mode-ecb.js C:\Users\Admin\AppData\Local\Temp\7385.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\28BE.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\28BE.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\5CD6.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\8639.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\5CD6.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\5CD6.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\8639.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\8639.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\28BE.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2941 = "Sao Tome Daylight Time" C:\Users\Admin\AppData\Local\Temp\28BE.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-41 = "E. South America Daylight Time" C:\Users\Admin\AppData\Local\Temp\28BE.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1841 = "Russia TZ 4 Daylight Time" C:\Users\Admin\AppData\Local\Temp\28BE.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time" C:\Users\Admin\AppData\Local\Temp\28BE.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time" C:\Users\Admin\AppData\Local\Temp\28BE.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time" C:\Users\Admin\AppData\Local\Temp\28BE.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1842 = "Russia TZ 4 Standard Time" C:\Users\Admin\AppData\Local\Temp\28BE.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-362 = "GTB Standard Time" C:\Users\Admin\AppData\Local\Temp\28BE.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time" C:\Users\Admin\AppData\Local\Temp\28BE.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2491 = "Aus Central W. Daylight Time" C:\Users\Admin\AppData\Local\Temp\28BE.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1801 = "Line Islands Daylight Time" C:\Users\Admin\AppData\Local\Temp\28BE.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time" C:\Users\Admin\AppData\Local\Temp\28BE.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2411 = "Marquesas Daylight Time" C:\Users\Admin\AppData\Local\Temp\28BE.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1412 = "Syria Standard Time" C:\Users\Admin\AppData\Local\Temp\28BE.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time" C:\Users\Admin\AppData\Local\Temp\28BE.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time" C:\Users\Admin\AppData\Local\Temp\28BE.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time" C:\Users\Admin\AppData\Local\Temp\28BE.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2141 = "Transbaikal Daylight Time" C:\Users\Admin\AppData\Local\Temp\28BE.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time" C:\Users\Admin\AppData\Local\Temp\28BE.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time" C:\Users\Admin\AppData\Local\Temp\28BE.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-232 = "Hawaiian Standard Time" C:\Users\Admin\AppData\Local\Temp\28BE.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\28BE.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\28BE.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time" C:\Users\Admin\AppData\Local\Temp\28BE.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time" C:\Users\Admin\AppData\Local\Temp\28BE.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2772 = "Omsk Standard Time" C:\Users\Admin\AppData\Local\Temp\28BE.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time" C:\Users\Admin\AppData\Local\Temp\28BE.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time" C:\Users\Admin\AppData\Local\Temp\28BE.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2611 = "Bougainville Daylight Time" C:\Users\Admin\AppData\Local\Temp\28BE.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time" C:\Users\Admin\AppData\Local\Temp\28BE.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time" C:\Users\Admin\AppData\Local\Temp\28BE.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\28BE.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2791 = "Novosibirsk Daylight Time" C:\Users\Admin\AppData\Local\Temp\28BE.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time" C:\Users\Admin\AppData\Local\Temp\28BE.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time" C:\Users\Admin\AppData\Local\Temp\28BE.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\28BE.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time" C:\Users\Admin\AppData\Local\Temp\28BE.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time" C:\Users\Admin\AppData\Local\Temp\28BE.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time" C:\Users\Admin\AppData\Local\Temp\28BE.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2042 = "Eastern Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\28BE.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time" C:\Users\Admin\AppData\Local\Temp\28BE.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\28BE.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\28BE.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2531 = "Chatham Islands Daylight Time" C:\Users\Admin\AppData\Local\Temp\28BE.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time" C:\Users\Admin\AppData\Local\Temp\28BE.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time" C:\Users\Admin\AppData\Local\Temp\28BE.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2871 = "Magallanes Daylight Time" C:\Users\Admin\AppData\Local\Temp\28BE.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\28BE.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time" C:\Users\Admin\AppData\Local\Temp\28BE.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time" C:\Users\Admin\AppData\Local\Temp\28BE.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-3052 = "Qyzylorda Standard Time" C:\Users\Admin\AppData\Local\Temp\28BE.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1911 = "Russia TZ 10 Daylight Time" C:\Users\Admin\AppData\Local\Temp\28BE.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1892 = "Russia TZ 3 Standard Time" C:\Users\Admin\AppData\Local\Temp\28BE.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time" C:\Users\Admin\AppData\Local\Temp\28BE.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time" C:\Users\Admin\AppData\Local\Temp\28BE.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2001 = "Cabo Verde Daylight Time" C:\Users\Admin\AppData\Local\Temp\28BE.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\28BE.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2872 = "Magallanes Standard Time" C:\Users\Admin\AppData\Local\Temp\28BE.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1411 = "Syria Daylight Time" C:\Users\Admin\AppData\Local\Temp\28BE.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time" C:\Users\Admin\AppData\Local\Temp\28BE.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2162 = "Altai Standard Time" C:\Users\Admin\AppData\Local\Temp\28BE.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time" C:\Users\Admin\AppData\Local\Temp\28BE.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time" C:\Users\Admin\AppData\Local\Temp\28BE.exe N/A

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5CD6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8639.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5331.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\F6A0.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\F6A0.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\F6A0.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\F6A0.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\F6A0.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\F6A0.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\F6A0.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\F6A0.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\F6A0.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\F6A0.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\F6A0.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\F6A0.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\windows_update_253746\client32.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2456 wrote to memory of 5036 N/A N/A C:\Users\Admin\AppData\Local\Temp\5331.exe
PID 2456 wrote to memory of 5036 N/A N/A C:\Users\Admin\AppData\Local\Temp\5331.exe
PID 2456 wrote to memory of 5036 N/A N/A C:\Users\Admin\AppData\Local\Temp\5331.exe
PID 2456 wrote to memory of 4992 N/A N/A C:\Users\Admin\AppData\Local\Temp\5CD6.exe
PID 2456 wrote to memory of 4992 N/A N/A C:\Users\Admin\AppData\Local\Temp\5CD6.exe
PID 2456 wrote to memory of 4992 N/A N/A C:\Users\Admin\AppData\Local\Temp\5CD6.exe
PID 2456 wrote to memory of 3776 N/A N/A C:\Users\Admin\AppData\Local\Temp\8639.exe
PID 2456 wrote to memory of 3776 N/A N/A C:\Users\Admin\AppData\Local\Temp\8639.exe
PID 2456 wrote to memory of 3776 N/A N/A C:\Users\Admin\AppData\Local\Temp\8639.exe
PID 2456 wrote to memory of 1640 N/A N/A C:\Windows\system32\regsvr32.exe
PID 2456 wrote to memory of 1640 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1640 wrote to memory of 1420 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1640 wrote to memory of 1420 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1640 wrote to memory of 1420 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2456 wrote to memory of 3732 N/A N/A C:\Users\Admin\AppData\Local\Temp\C1BE.exe
PID 2456 wrote to memory of 3732 N/A N/A C:\Users\Admin\AppData\Local\Temp\C1BE.exe
PID 2456 wrote to memory of 3732 N/A N/A C:\Users\Admin\AppData\Local\Temp\C1BE.exe
PID 3732 wrote to memory of 97116 N/A C:\Users\Admin\AppData\Local\Temp\C1BE.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3732 wrote to memory of 97116 N/A C:\Users\Admin\AppData\Local\Temp\C1BE.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3732 wrote to memory of 97116 N/A C:\Users\Admin\AppData\Local\Temp\C1BE.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3732 wrote to memory of 97116 N/A C:\Users\Admin\AppData\Local\Temp\C1BE.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3732 wrote to memory of 97116 N/A C:\Users\Admin\AppData\Local\Temp\C1BE.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2456 wrote to memory of 97236 N/A N/A C:\Users\Admin\AppData\Local\Temp\D016.exe
PID 2456 wrote to memory of 97236 N/A N/A C:\Users\Admin\AppData\Local\Temp\D016.exe
PID 2456 wrote to memory of 97236 N/A N/A C:\Users\Admin\AppData\Local\Temp\D016.exe
PID 2456 wrote to memory of 97144 N/A N/A C:\Users\Admin\AppData\Local\Temp\D3A2.exe
PID 2456 wrote to memory of 97144 N/A N/A C:\Users\Admin\AppData\Local\Temp\D3A2.exe
PID 2456 wrote to memory of 97144 N/A N/A C:\Users\Admin\AppData\Local\Temp\D3A2.exe
PID 2456 wrote to memory of 1960 N/A N/A C:\Users\Admin\AppData\Local\Temp\D911.exe
PID 2456 wrote to memory of 1960 N/A N/A C:\Users\Admin\AppData\Local\Temp\D911.exe
PID 2456 wrote to memory of 1960 N/A N/A C:\Users\Admin\AppData\Local\Temp\D911.exe
PID 97236 wrote to memory of 97332 N/A C:\Users\Admin\AppData\Local\Temp\D016.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 97236 wrote to memory of 97332 N/A C:\Users\Admin\AppData\Local\Temp\D016.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 97236 wrote to memory of 97332 N/A C:\Users\Admin\AppData\Local\Temp\D016.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2456 wrote to memory of 97344 N/A N/A C:\Users\Admin\AppData\Local\Temp\DF3C.exe
PID 2456 wrote to memory of 97344 N/A N/A C:\Users\Admin\AppData\Local\Temp\DF3C.exe
PID 2456 wrote to memory of 97344 N/A N/A C:\Users\Admin\AppData\Local\Temp\DF3C.exe
PID 97236 wrote to memory of 97332 N/A C:\Users\Admin\AppData\Local\Temp\D016.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 97236 wrote to memory of 97332 N/A C:\Users\Admin\AppData\Local\Temp\D016.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 97144 wrote to memory of 97424 N/A C:\Users\Admin\AppData\Local\Temp\D3A2.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 97144 wrote to memory of 97424 N/A C:\Users\Admin\AppData\Local\Temp\D3A2.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 97144 wrote to memory of 97424 N/A C:\Users\Admin\AppData\Local\Temp\D3A2.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 97144 wrote to memory of 97424 N/A C:\Users\Admin\AppData\Local\Temp\D3A2.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2456 wrote to memory of 97440 N/A N/A C:\Windows\System32\Conhost.exe
PID 2456 wrote to memory of 97440 N/A N/A C:\Windows\System32\Conhost.exe
PID 97144 wrote to memory of 97424 N/A C:\Users\Admin\AppData\Local\Temp\D3A2.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1960 wrote to memory of 97544 N/A C:\Users\Admin\AppData\Local\Temp\D911.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1960 wrote to memory of 97544 N/A C:\Users\Admin\AppData\Local\Temp\D911.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1960 wrote to memory of 97544 N/A C:\Users\Admin\AppData\Local\Temp\D911.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1960 wrote to memory of 97544 N/A C:\Users\Admin\AppData\Local\Temp\D911.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1960 wrote to memory of 97544 N/A C:\Users\Admin\AppData\Local\Temp\D911.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2456 wrote to memory of 97624 N/A N/A C:\Users\Admin\AppData\Local\Temp\EE33.exe
PID 2456 wrote to memory of 97624 N/A N/A C:\Users\Admin\AppData\Local\Temp\EE33.exe
PID 2456 wrote to memory of 97624 N/A N/A C:\Users\Admin\AppData\Local\Temp\EE33.exe
PID 2456 wrote to memory of 97784 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 2456 wrote to memory of 97784 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 2456 wrote to memory of 97784 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 2456 wrote to memory of 97784 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 2456 wrote to memory of 97824 N/A N/A C:\Users\Admin\AppData\Local\Temp\F6A0.exe
PID 2456 wrote to memory of 97824 N/A N/A C:\Users\Admin\AppData\Local\Temp\F6A0.exe
PID 2456 wrote to memory of 97824 N/A N/A C:\Users\Admin\AppData\Local\Temp\F6A0.exe
PID 97624 wrote to memory of 97852 N/A C:\Users\Admin\AppData\Local\Temp\EE33.exe C:\Users\Admin\AppData\Roaming\windows_update_253746\client32.exe
PID 97624 wrote to memory of 97852 N/A C:\Users\Admin\AppData\Local\Temp\EE33.exe C:\Users\Admin\AppData\Roaming\windows_update_253746\client32.exe
PID 97624 wrote to memory of 97852 N/A C:\Users\Admin\AppData\Local\Temp\EE33.exe C:\Users\Admin\AppData\Roaming\windows_update_253746\client32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Users\Admin\AppData\Local\Temp\5331.exe

C:\Users\Admin\AppData\Local\Temp\5331.exe

C:\Users\Admin\AppData\Local\Temp\5CD6.exe

C:\Users\Admin\AppData\Local\Temp\5CD6.exe

C:\Users\Admin\AppData\Local\Temp\8639.exe

C:\Users\Admin\AppData\Local\Temp\8639.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\A163.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\A163.dll

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 5036 -ip 5036

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5036 -s 1272

C:\Users\Admin\AppData\Local\Temp\C1BE.exe

C:\Users\Admin\AppData\Local\Temp\C1BE.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3732 -ip 3732

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3732 -s 93828

C:\Users\Admin\AppData\Local\Temp\D016.exe

C:\Users\Admin\AppData\Local\Temp\D016.exe

C:\Users\Admin\AppData\Local\Temp\D3A2.exe

C:\Users\Admin\AppData\Local\Temp\D3A2.exe

C:\Users\Admin\AppData\Local\Temp\D911.exe

C:\Users\Admin\AppData\Local\Temp\D911.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\DF3C.exe

C:\Users\Admin\AppData\Local\Temp\DF3C.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\E5E5.exe

C:\Users\Admin\AppData\Local\Temp\E5E5.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 540 -p 97440 -ip 97440

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 97440 -s 428

C:\Users\Admin\AppData\Local\Temp\EE33.exe

C:\Users\Admin\AppData\Local\Temp\EE33.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Users\Admin\AppData\Local\Temp\F6A0.exe

C:\Users\Admin\AppData\Local\Temp\F6A0.exe

C:\Users\Admin\AppData\Roaming\windows_update_253746\client32.exe

"C:\Users\Admin\AppData\Roaming\windows_update_253746\client32.exe"

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Users\Admin\AppData\Local\Temp\1302.exe

C:\Users\Admin\AppData\Local\Temp\1302.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\1302.exe

"C:\Users\Admin\AppData\Local\Temp\1302.exe" -h

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 97544 -ip 97544

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c taskkill /im AppLaunch.exe /f & timeout /t 6 & del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe" & del C:\PrograData\*.dll & exit

C:\Windows\SysWOW64\taskkill.exe

taskkill /im AppLaunch.exe /f

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 97544 -s 1768

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im chrome.exe

C:\Windows\SysWOW64\timeout.exe

timeout /t 6

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im chrome.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Users\Admin\AppData\Local\Temp\28BE.exe

C:\Users\Admin\AppData\Local\Temp\28BE.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd0a804f50,0x7ffd0a804f60,0x7ffd0a804f70

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon

C:\Users\Admin\AppData\Local\Temp\28BE.exe

"C:\Users\Admin\AppData\Local\Temp\28BE.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1604,12135978019067335241,15664577641248412644,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1696 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1604,12135978019067335241,15664577641248412644,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2036 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1604,12135978019067335241,15664577641248412644,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2320 /prefetch:8

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1604,12135978019067335241,15664577641248412644,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3132 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1604,12135978019067335241,15664577641248412644,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2940 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1604,12135978019067335241,15664577641248412644,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3608 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1604,12135978019067335241,15664577641248412644,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4004 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1604,12135978019067335241,15664577641248412644,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4672 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1604,12135978019067335241,15664577641248412644,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4624 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1604,12135978019067335241,15664577641248412644,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4792 /prefetch:8

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 97344 -ip 97344

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 97344 -s 760

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Users\Admin\AppData\Local\Temp\4AED.exe

C:\Users\Admin\AppData\Local\Temp\4AED.exe

C:\Users\Admin\AppData\Local\Temp\4AED.exe

"C:\Users\Admin\AppData\Local\Temp\4AED.exe" -h

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1604,12135978019067335241,15664577641248412644,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5284 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1604,12135978019067335241,15664577641248412644,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5248 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1604,12135978019067335241,15664577641248412644,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5308 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1604,12135978019067335241,15664577641248412644,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3892 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1604,12135978019067335241,15664577641248412644,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4900 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1604,12135978019067335241,15664577641248412644,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5348 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1604,12135978019067335241,15664577641248412644,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4788 /prefetch:1

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Users\Admin\AppData\Local\Temp\7385.exe

C:\Users\Admin\AppData\Local\Temp\7385.exe

C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\tor.exe

"C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\tor.exe" --nt-service -f "C:\Users\Admin\AppData\Local\Temp\csrss\tor\torrc" --Log "notice file C:\Users\Admin\AppData\Local\Temp\csrss\tor\log.txt"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WmiPrvSE D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WmiPrvSE D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im chrome.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd0b094f50,0x7ffd0b094f60,0x7ffd0b094f70

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1900,17443844971990817147,10088696692801823,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3000 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1900,17443844971990817147,10088696692801823,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2464 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1900,17443844971990817147,10088696692801823,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3524 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1900,17443844971990817147,10088696692801823,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2456 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1900,17443844971990817147,10088696692801823,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1964 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1900,17443844971990817147,10088696692801823,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1928 /prefetch:2

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1900,17443844971990817147,10088696692801823,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4028 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1900,17443844971990817147,10088696692801823,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4768 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1900,17443844971990817147,10088696692801823,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4816 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1900,17443844971990817147,10088696692801823,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5076 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1900,17443844971990817147,10088696692801823,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5328 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1900,17443844971990817147,10088696692801823,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5296 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\B830.exe

C:\Users\Admin\AppData\Local\Temp\B830.exe

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 568 -p 7800 -ip 7800

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 7800 -s 424

Network

Country Destination Domain Proto
US 209.197.3.8:80 tcp
US 8.8.8.8:53 monsutiur4.com udp
NL 185.237.206.60:80 monsutiur4.com tcp
IE 13.69.239.72:443 tcp
US 8.8.8.8:53 nusurionuy5ff.at udp
US 8.8.8.8:53 moroitomo4.net udp
US 8.8.8.8:53 susuerulianita1.net udp
US 8.8.8.8:53 cucumbetuturel4.com udp
US 8.8.8.8:53 nunuslushau.com udp
US 8.8.8.8:53 linislominyt11.at udp
PA 190.140.74.43:80 linislominyt11.at tcp
PA 190.140.74.43:80 linislominyt11.at tcp
PA 190.140.74.43:80 linislominyt11.at tcp
PA 190.140.74.43:80 linislominyt11.at tcp
RU 85.192.63.184:80 85.192.63.184 tcp
PA 190.140.74.43:80 linislominyt11.at tcp
PA 190.140.74.43:80 linislominyt11.at tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
RU 78.153.144.84:27027 tcp
PA 190.140.74.43:80 linislominyt11.at tcp
PA 190.140.74.43:80 linislominyt11.at tcp
PA 190.140.74.43:80 linislominyt11.at tcp
PA 190.140.74.43:80 linislominyt11.at tcp
US 8.8.8.8:53 ojinsei.com udp
RU 178.20.42.96:80 ojinsei.com tcp
PA 190.140.74.43:80 linislominyt11.at tcp
RU 178.20.42.96:80 ojinsei.com tcp
RU 178.20.42.96:80 ojinsei.com tcp
RU 178.20.42.96:80 ojinsei.com tcp
RU 178.20.42.96:80 ojinsei.com tcp
RU 178.20.42.96:80 ojinsei.com tcp
RU 178.20.42.96:80 ojinsei.com tcp
RU 178.20.42.96:80 ojinsei.com tcp
RU 178.20.42.96:80 ojinsei.com tcp
RU 178.20.42.96:80 ojinsei.com tcp
RU 178.20.42.96:80 ojinsei.com tcp
US 8.8.8.8:53 github.com udp
US 140.82.113.4:443 github.com tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.111.133:443 raw.githubusercontent.com tcp
RU 178.20.42.96:80 ojinsei.com tcp
RU 178.20.42.96:80 ojinsei.com tcp
RU 176.122.23.55:11768 tcp
RU 178.20.42.96:80 ojinsei.com tcp
US 8.8.8.8:53 www.oovi.it udp
IT 217.64.195.204:80 www.oovi.it tcp
RU 178.20.42.96:80 ojinsei.com tcp
RU 178.20.42.96:80 ojinsei.com tcp
RU 178.20.42.96:80 ojinsei.com tcp
PA 190.140.74.43:80 linislominyt11.at tcp
RU 178.20.42.96:80 ojinsei.com tcp
RU 178.20.42.96:80 ojinsei.com tcp
US 8.8.8.8:53 edx.ajn322aa.com udp
US 104.21.90.234:443 edx.ajn322aa.com tcp
RU 178.20.42.96:80 ojinsei.com tcp
RU 85.192.63.184:80 85.192.63.184 tcp
RU 178.20.42.96:80 ojinsei.com tcp
RU 178.20.42.96:80 ojinsei.com tcp
RU 78.153.144.6:2510 tcp
PA 190.140.74.43:80 linislominyt11.at tcp
VN 103.89.90.61:34589 tcp
PA 190.140.74.43:80 linislominyt11.at tcp
RU 178.20.42.96:80 ojinsei.com tcp
RU 178.20.42.96:80 ojinsei.com tcp
RU 178.20.42.96:80 ojinsei.com tcp
US 8.8.8.8:53 www.mp3infonice.top udp
US 8.8.8.8:53 t.me udp
DE 161.97.101.255:80 www.mp3infonice.top tcp
RU 178.20.42.96:80 ojinsei.com tcp
NL 149.154.167.99:443 t.me tcp
DE 116.203.167.5:80 116.203.167.5 tcp
PA 190.140.74.43:80 linislominyt11.at tcp
US 8.8.8.8:53 www.icodeps.com udp
US 8.8.8.8:53 ysanhumeg1.com udp
US 149.28.253.196:443 www.icodeps.com tcp
PA 190.140.74.43:80 linislominyt11.at tcp
DE 116.202.180.202:80 116.202.180.202 tcp
US 140.82.15.232:2970 ysanhumeg1.com tcp
US 8.8.8.8:53 geo.netsupportsoftware.com udp
GB 195.171.92.116:80 geo.netsupportsoftware.com tcp
US 8.8.8.8:53 i.xyzgamei.com udp
US 104.21.86.228:443 i.xyzgamei.com tcp
US 8.8.8.8:53 b.game2723.com udp
US 188.114.97.0:443 b.game2723.com tcp
PA 190.140.74.43:80 linislominyt11.at tcp
US 8.8.8.8:53 ocsp.trust-provider.cn udp
NL 47.246.48.208:80 ocsp.trust-provider.cn tcp
US 8.8.8.8:53 v.xyzgamev.com udp
US 104.21.40.196:443 v.xyzgamev.com tcp
PA 190.140.74.43:80 linislominyt11.at tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 8.8.8.8:53 iplogger.org udp
DE 148.251.234.83:443 iplogger.org tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 8.8.8.8:53 trustnero.com udp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.1.91:443 trustnero.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 8.8.8.8:53 fakermet.com udp
US 172.67.202.54:443 fakermet.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
PA 190.140.74.43:80 linislominyt11.at tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
PA 190.140.74.43:80 linislominyt11.at tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
N/A 224.0.0.251:5353 udp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 m.facebook.com udp
US 8.8.8.8:53 clients2.google.com udp
US 8.8.8.8:53 fergrt.s3.us-west-2.amazonaws.com udp
US 104.21.40.196:443 v.xyzgamev.com tcp
NL 142.251.36.45:443 accounts.google.com udp
NL 172.217.168.238:443 clients2.google.com udp
US 52.218.182.81:443 fergrt.s3.us-west-2.amazonaws.com tcp
ES 31.13.83.36:443 m.facebook.com tcp
NL 142.251.36.45:443 accounts.google.com tcp
NL 172.217.168.238:443 clients2.google.com tcp
US 52.218.182.81:443 fergrt.s3.us-west-2.amazonaws.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 8.8.8.8:53 edgedl.me.gvt1.com udp
US 34.104.35.123:80 edgedl.me.gvt1.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 8.8.8.8:53 secure.facebook.com udp
ES 31.13.83.17:443 secure.facebook.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 8.8.8.8:53 apis.google.com udp
NL 216.58.214.14:443 apis.google.com tcp
US 8.8.8.8:53 www.sadcsaheec.xyz udp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.82.236:80 www.sadcsaheec.xyz tcp
US 8.8.8.8:53 www.facebook.com udp
NL 157.240.247.35:443 www.facebook.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
PA 190.140.74.43:80 linislominyt11.at tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:443 dns.google tcp
US 8.8.8.8:443 dns.google tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
PA 190.140.74.43:80 linislominyt11.at tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 8.8.8.8:53 6dfda937-f511-485f-9904-b9b295d239a9.uuid.dg2sz7pxs7llf2t25fsbutlvvrjij4pmojugn75cmxnvoshmju6dzcad.onion udp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 8.8.8.8:53 sofolisk.com udp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 8.8.8.8:443 dns.google tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 8.8.8.8:443 dns.google udp
US 104.21.40.196:443 v.xyzgamev.com tcp
NL 216.58.208.99:443 ssl.gstatic.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 stun2.l.google.com udp
US 104.21.40.196:443 v.xyzgamev.com tcp
SG 74.125.24.127:19302 stun2.l.google.com udp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
PA 190.140.74.43:80 linislominyt11.at tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 149.28.253.196:443 www.icodeps.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
DE 148.251.234.83:443 iplogger.org tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
JP 118.27.6.60:443 tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
JP 182.168.156.112:9001 tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
PA 190.140.74.43:80 linislominyt11.at tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
LU 107.189.7.243:9100 tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
FR 62.210.97.21:443 tcp
NL 51.158.187.110:443 tcp
US 51.81.209.126:443 tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
N/A 127.0.0.1:31464 tcp
N/A 127.0.0.1:50286 tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
ES 31.13.83.36:443 m.facebook.com tcp
NL 142.251.36.45:443 accounts.google.com udp
NL 142.251.36.45:443 accounts.google.com tcp
US 8.8.8.8:53 fergrt.s3.us-west-2.amazonaws.com udp
NL 172.217.168.238:443 clients2.google.com udp
NL 172.217.168.238:443 clients2.google.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 52.218.132.97:443 fergrt.s3.us-west-2.amazonaws.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
N/A 127.0.0.1:31464 tcp
ES 31.13.83.17:443 secure.facebook.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.82.236:80 www.sadcsaheec.xyz tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
NL 157.240.247.35:443 www.facebook.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 8.8.8.8:443 dns.google tcp
US 8.8.8.8:443 dns.google tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 8.8.8.8:443 dns.google udp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
NL 142.250.179.163:443 update.googleapis.com tcp
RU 178.20.42.96:80 ojinsei.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
NL 216.58.208.99:443 ssl.gstatic.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
PA 190.140.74.43:80 linislominyt11.at tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp
US 104.21.40.196:443 v.xyzgamev.com tcp

Files

memory/4900-132-0x0000000002D99000-0x0000000002DAA000-memory.dmp

memory/4900-133-0x0000000002D10000-0x0000000002D19000-memory.dmp

memory/4900-134-0x0000000000400000-0x0000000002B7E000-memory.dmp

memory/4900-135-0x0000000000400000-0x0000000002B7E000-memory.dmp

memory/5036-136-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\5331.exe

MD5 7ee26071eccd624c58596bb7e356c8c3
SHA1 2c61201ce36e236c30c350bfae82fa74d21c89cb
SHA256 69fde9e6449ac4f800f47188a10e04db056c0b570876b254c93d3a8d94d2016b
SHA512 7cd53f55077e02d2982c15963da8ad0ccb254063196c21a8cc0803f474a86ddf5e8ba48c4d6b8f74020074b76319fde082fcc12bedd7c69e75e3597f2ec5f562

C:\Users\Admin\AppData\Local\Temp\5331.exe

MD5 7ee26071eccd624c58596bb7e356c8c3
SHA1 2c61201ce36e236c30c350bfae82fa74d21c89cb
SHA256 69fde9e6449ac4f800f47188a10e04db056c0b570876b254c93d3a8d94d2016b
SHA512 7cd53f55077e02d2982c15963da8ad0ccb254063196c21a8cc0803f474a86ddf5e8ba48c4d6b8f74020074b76319fde082fcc12bedd7c69e75e3597f2ec5f562

memory/4992-139-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\5CD6.exe

MD5 5190580f9a7a5d20354eb020c54519b7
SHA1 0271a96e09df347a540c4135e3217f9aeeb9a6c7
SHA256 74334bd66296cd06cceb1f3fb116dca85a598c6bef3d646f108164edb61498bc
SHA512 6f5db65cdc46df01421a2a1922751f49710385a1d02e63c7634387835f77ed15f1b0ea6a4cdf037598dc71cb4562a1a06ae99252cc5a5a3219d421447e0a8c2e

C:\Users\Admin\AppData\Local\Temp\5CD6.exe

MD5 5190580f9a7a5d20354eb020c54519b7
SHA1 0271a96e09df347a540c4135e3217f9aeeb9a6c7
SHA256 74334bd66296cd06cceb1f3fb116dca85a598c6bef3d646f108164edb61498bc
SHA512 6f5db65cdc46df01421a2a1922751f49710385a1d02e63c7634387835f77ed15f1b0ea6a4cdf037598dc71cb4562a1a06ae99252cc5a5a3219d421447e0a8c2e

memory/4992-142-0x0000000002DC9000-0x0000000002DDA000-memory.dmp

memory/4992-143-0x0000000002C80000-0x0000000002C89000-memory.dmp

memory/5036-144-0x0000000005130000-0x00000000056D4000-memory.dmp

memory/4992-145-0x0000000000400000-0x0000000002B7E000-memory.dmp

memory/5036-147-0x0000000002390000-0x00000000023CE000-memory.dmp

memory/5036-146-0x0000000000C59000-0x0000000000C8A000-memory.dmp

memory/5036-148-0x0000000004F90000-0x0000000005022000-memory.dmp

memory/5036-149-0x0000000000400000-0x000000000086C000-memory.dmp

memory/5036-150-0x0000000005770000-0x0000000005D88000-memory.dmp

memory/5036-151-0x0000000005D90000-0x0000000005E9A000-memory.dmp

memory/5036-152-0x0000000002B00000-0x0000000002B12000-memory.dmp

memory/4992-153-0x0000000000400000-0x0000000002B7E000-memory.dmp

memory/5036-154-0x0000000005030000-0x000000000506C000-memory.dmp

memory/3776-155-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\8639.exe

MD5 07a8bc35ca1632555dd46a6867f22dd7
SHA1 1feb0c4429e48bb877e9110c05a0a6022a3abacd
SHA256 496e0e9f8c0f4239f5ef32035a628fba3179722ae147e016ae72ae3a6d067433
SHA512 195fc4cb02c51bb0c4095c1657ab927e9efe5299067132c331fd183beae07a7cb4acf8824efa344ecba139bb20869894924701944241cc004a414092b8ef479b

C:\Users\Admin\AppData\Local\Temp\8639.exe

MD5 07a8bc35ca1632555dd46a6867f22dd7
SHA1 1feb0c4429e48bb877e9110c05a0a6022a3abacd
SHA256 496e0e9f8c0f4239f5ef32035a628fba3179722ae147e016ae72ae3a6d067433
SHA512 195fc4cb02c51bb0c4095c1657ab927e9efe5299067132c331fd183beae07a7cb4acf8824efa344ecba139bb20869894924701944241cc004a414092b8ef479b

memory/5036-158-0x0000000000C59000-0x0000000000C8A000-memory.dmp

memory/3776-159-0x0000000002E19000-0x0000000002E2A000-memory.dmp

memory/3776-160-0x0000000000400000-0x0000000002B7E000-memory.dmp

memory/5036-161-0x0000000006000000-0x0000000006066000-memory.dmp

memory/1640-162-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\A163.dll

MD5 43aa7572e12c1a6abc3693dc21263f3c
SHA1 03407624fb118ad0ee214a597e034e96da83dc5b
SHA256 3446ad49d514cc5847556076ec821602a48353fd794647b0df6092a2e5db0e8c
SHA512 f7660d97d2f7882b99d931b13c7a0b5ef74350dffffbdcdad01259e19cbd5fa3d6597c6d96b0fa937a07e6b88f6e977f2e3f1fd1c50dfa22c32151061d773071

memory/5036-165-0x0000000006840000-0x0000000006A02000-memory.dmp

memory/1420-164-0x0000000000000000-mapping.dmp

memory/5036-166-0x0000000006A10000-0x0000000006F3C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\A163.dll

MD5 43aa7572e12c1a6abc3693dc21263f3c
SHA1 03407624fb118ad0ee214a597e034e96da83dc5b
SHA256 3446ad49d514cc5847556076ec821602a48353fd794647b0df6092a2e5db0e8c
SHA512 f7660d97d2f7882b99d931b13c7a0b5ef74350dffffbdcdad01259e19cbd5fa3d6597c6d96b0fa937a07e6b88f6e977f2e3f1fd1c50dfa22c32151061d773071

memory/3776-168-0x0000000000400000-0x0000000002B7E000-memory.dmp

memory/1420-169-0x0000000002AA0000-0x0000000002BBC000-memory.dmp

memory/1420-170-0x0000000002CE0000-0x0000000002DFC000-memory.dmp

memory/5036-171-0x0000000000C59000-0x0000000000C8A000-memory.dmp

memory/5036-172-0x0000000000400000-0x000000000086C000-memory.dmp

memory/1420-173-0x0000000000FF0000-0x00000000010AE000-memory.dmp

memory/1420-174-0x0000000002E00000-0x0000000002EA9000-memory.dmp

memory/1420-177-0x0000000002CE0000-0x0000000002DFC000-memory.dmp

memory/3732-178-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\C1BE.exe

MD5 8cd2e049bdbb6954e7ddaed3eb63dc79
SHA1 f0715504d291f42753ccb8cb340524369da00d49
SHA256 f513aa13542f7444fffa8d5a826633fee3a90ff90e9d6fdc7c67211ab1d51205
SHA512 45539036718e6d90581d5e007f45e4e283d0a570c60b33c18194c3e1467dfe586a89da62f358ef959ab695bc0e45e77c57f88deb1433a4763ee640fb8d1e501b

C:\Users\Admin\AppData\Local\Temp\C1BE.exe

MD5 8cd2e049bdbb6954e7ddaed3eb63dc79
SHA1 f0715504d291f42753ccb8cb340524369da00d49
SHA256 f513aa13542f7444fffa8d5a826633fee3a90ff90e9d6fdc7c67211ab1d51205
SHA512 45539036718e6d90581d5e007f45e4e283d0a570c60b33c18194c3e1467dfe586a89da62f358ef959ab695bc0e45e77c57f88deb1433a4763ee640fb8d1e501b

memory/97116-181-0x0000000000000000-mapping.dmp

memory/97116-182-0x0000000000400000-0x0000000000460000-memory.dmp

memory/97236-187-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\D016.exe

MD5 d000c34a574ee1bf2354bf4aa1c59cc7
SHA1 27f15cc0088b1a66c68d07f82f544c843c22e56e
SHA256 3db9830c78a0b03c58c7f227685044fd2b2d6aefc5de015e65ea1d9021343c33
SHA512 434548fde748bf3c8ed7b15891d1c9de6d68ad7a5fe7603835a2128ce783ff97e32a8f9f4c78ad905c618f8737cb00ce49a671cfa2013463042b2d98709758ca

C:\Users\Admin\AppData\Local\Temp\D016.exe

MD5 d000c34a574ee1bf2354bf4aa1c59cc7
SHA1 27f15cc0088b1a66c68d07f82f544c843c22e56e
SHA256 3db9830c78a0b03c58c7f227685044fd2b2d6aefc5de015e65ea1d9021343c33
SHA512 434548fde748bf3c8ed7b15891d1c9de6d68ad7a5fe7603835a2128ce783ff97e32a8f9f4c78ad905c618f8737cb00ce49a671cfa2013463042b2d98709758ca

memory/97144-190-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\D3A2.exe

MD5 5495cf6ada457e516aef6bfc42d98da0
SHA1 52ead008a515dcaf06a06dd18ddeb54dc35a07f0
SHA256 5326d545bd52b40f4b9631b95dba418a9ea5c394259bcc68901f402a334c8c8d
SHA512 5c26ae915f4a6a50b78007199275a8df01ffb2728638ff24b23ae42c3862a9060d22f710dc71bcb437abf6a9e4e9b523b54a6fe4d84808da912b8b5fe87f4a05

C:\Users\Admin\AppData\Local\Temp\D3A2.exe

MD5 5495cf6ada457e516aef6bfc42d98da0
SHA1 52ead008a515dcaf06a06dd18ddeb54dc35a07f0
SHA256 5326d545bd52b40f4b9631b95dba418a9ea5c394259bcc68901f402a334c8c8d
SHA512 5c26ae915f4a6a50b78007199275a8df01ffb2728638ff24b23ae42c3862a9060d22f710dc71bcb437abf6a9e4e9b523b54a6fe4d84808da912b8b5fe87f4a05

memory/1960-193-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\D911.exe

MD5 8f583554c303d00fe3397a1c04da6fbc
SHA1 0c771437de5046bc9ceefd5321dffb2a1d06ba75
SHA256 e49558e423b68f78714658817dd0b7eef7fc91273272593ed48013c1438a423b
SHA512 0c097b2d3ef0093ae5807b188acd07dfb3e21d43ae90198b13f42613558433d7f34031a4f4fc0b283ce71f090f606b75f10df49952df62e7241f7dc63bcbdba8

C:\Users\Admin\AppData\Local\Temp\D911.exe

MD5 8f583554c303d00fe3397a1c04da6fbc
SHA1 0c771437de5046bc9ceefd5321dffb2a1d06ba75
SHA256 e49558e423b68f78714658817dd0b7eef7fc91273272593ed48013c1438a423b
SHA512 0c097b2d3ef0093ae5807b188acd07dfb3e21d43ae90198b13f42613558433d7f34031a4f4fc0b283ce71f090f606b75f10df49952df62e7241f7dc63bcbdba8

memory/97344-197-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\DF3C.exe

MD5 36cc006abe801af7acd1dd7a8e6d3936
SHA1 c822f159daeb7cd5ba00e20548773394fc2ac85d
SHA256 9f10ab9e407a18b8911ad89d975ba1d37d456becf252463d4d44f2c83689efa9
SHA512 1baf12085a0e2808b0895f1aa78b6ae722399a90cc3716cd869f99c8a9baa8a88d80c93088cf43943161ca9e4180935e880caa0e9d980065094051e972a593b4

C:\Users\Admin\AppData\Local\Temp\DF3C.exe

MD5 36cc006abe801af7acd1dd7a8e6d3936
SHA1 c822f159daeb7cd5ba00e20548773394fc2ac85d
SHA256 9f10ab9e407a18b8911ad89d975ba1d37d456becf252463d4d44f2c83689efa9
SHA512 1baf12085a0e2808b0895f1aa78b6ae722399a90cc3716cd869f99c8a9baa8a88d80c93088cf43943161ca9e4180935e880caa0e9d980065094051e972a593b4

memory/97332-198-0x0000000000400000-0x0000000000428000-memory.dmp

memory/97332-196-0x0000000000000000-mapping.dmp

memory/97424-205-0x0000000000000000-mapping.dmp

memory/97424-206-0x0000000000400000-0x0000000000420000-memory.dmp

memory/97440-207-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\E5E5.exe

MD5 5a5818de3886c0ffaa7071e70d003eb6
SHA1 c4e62f5c1b674a80fdd48b6fe37e3e59607a7f2e
SHA256 4fac63cb799cc9da04b4332602ad9b4538dd2429ffcf2f8065ec598b2c6aa6a2
SHA512 07ba01218477f3cacd9846b16d9dc742b0e8b4afdca43aba3696b742063316d7fe0c15504c8ebbee20f3f4b42532960698308b45e5d2b55fcc536af28522b8ca

C:\Users\Admin\AppData\Local\Temp\E5E5.exe

MD5 5a5818de3886c0ffaa7071e70d003eb6
SHA1 c4e62f5c1b674a80fdd48b6fe37e3e59607a7f2e
SHA256 4fac63cb799cc9da04b4332602ad9b4538dd2429ffcf2f8065ec598b2c6aa6a2
SHA512 07ba01218477f3cacd9846b16d9dc742b0e8b4afdca43aba3696b742063316d7fe0c15504c8ebbee20f3f4b42532960698308b45e5d2b55fcc536af28522b8ca

memory/97440-214-0x0000000140000000-0x0000000140608000-memory.dmp

memory/97544-219-0x0000000000400000-0x000000000045D000-memory.dmp

memory/97544-217-0x0000000000000000-mapping.dmp

memory/97544-225-0x0000000000400000-0x000000000045D000-memory.dmp

memory/97624-226-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\EE33.exe

MD5 789598a08bc57fea514d9ffd8f072b71
SHA1 7fc3b548b599eca588b54a5d78378be24ba4fc91
SHA256 6a9677534228b1e25cb6b978f465b98c19b08844ea9b559e7538f7ff45bb04c8
SHA512 6bf941b0a72bd9d0ec56b834b9c090d9dbbb4f30e8e63a1d984638e6bfa391d49e99d69cb89ec4de564ed8222dc8ee22ca5708640a52e1e50b8ca1e0d36adf5b

C:\Users\Admin\AppData\Local\Temp\EE33.exe

MD5 789598a08bc57fea514d9ffd8f072b71
SHA1 7fc3b548b599eca588b54a5d78378be24ba4fc91
SHA256 6a9677534228b1e25cb6b978f465b98c19b08844ea9b559e7538f7ff45bb04c8
SHA512 6bf941b0a72bd9d0ec56b834b9c090d9dbbb4f30e8e63a1d984638e6bfa391d49e99d69cb89ec4de564ed8222dc8ee22ca5708640a52e1e50b8ca1e0d36adf5b

memory/97344-229-0x0000000002DB9000-0x0000000002DCA000-memory.dmp

memory/97344-230-0x0000000002BF0000-0x0000000002C00000-memory.dmp

memory/97784-232-0x0000000000000000-mapping.dmp

memory/97344-231-0x0000000000400000-0x0000000002B7E000-memory.dmp

memory/97824-233-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\F6A0.exe

MD5 9e9e7ad2a575a1ee322b618cb9cfdf05
SHA1 42dba5e712f382a684deb20ededef154c74b24bc
SHA256 1a90eaf03ec44e61a6ee97be6b8757cc12b9d0a5c2904fa3652d651a92bbd6f1
SHA512 0c48cc0988b1153d5442a0409911be9dbee1db5b2ea1d3f12847b12a4e70eb9416600ee079eac58d0c3ac628d388c6037574278f69d0e8e69f7c9f24a127bc5e

memory/97852-236-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\windows_update_253746\client32.exe

MD5 b2b27ccaded1db8ee341d5bd2c373044
SHA1 1d0f9ca17c0961eeabffc2ba54e16854a13c8a9d
SHA256 e4985a9739637aad4a409c95da33a1304dc17fd6ef9046159b27c0b137a57911
SHA512 0987b11aa110ea6b6f4fe4361e587aff010508251644bdfb681a578fa4726fb56af039d55e0b74682fd7031414f665a98656186b220264c122a47d23751dcee1

C:\Users\Admin\AppData\Roaming\windows_update_253746\pcicapi.dll

MD5 34dfb87e4200d852d1fb45dc48f93cfc
SHA1 35b4e73fb7c8d4c3fefb90b7e7dc19f3e653c641
SHA256 2d6c6200508c0797e6542b195c999f3485c4ef76551aa3c65016587788ba1703
SHA512 f5bb4e700322cbaa5069244812a9b6ce6899ce15b4fd6384a3e8be421e409e4526b2f67fe210394cd47c4685861faf760eff9af77209100b82b2e0655581c9b2

C:\Users\Admin\AppData\Roaming\windows_update_253746\PCICL32.dll

MD5 d3d39180e85700f72aaae25e40c125ff
SHA1 f3404ef6322f5c6e7862b507d05b8f4b7f1c7d15
SHA256 38684adb2183bf320eb308a96cdbde8d1d56740166c3e2596161f42a40fa32d5
SHA512 471ac150e93a182d135e5483d6b1492f08a49f5ccab420732b87210f2188be1577ceaaee4ce162a7acceff5c17cdd08dc51b1904228275f6bbde18022ec79d2f

C:\Users\Admin\AppData\Roaming\windows_update_253746\client32.exe

MD5 b2b27ccaded1db8ee341d5bd2c373044
SHA1 1d0f9ca17c0961eeabffc2ba54e16854a13c8a9d
SHA256 e4985a9739637aad4a409c95da33a1304dc17fd6ef9046159b27c0b137a57911
SHA512 0987b11aa110ea6b6f4fe4361e587aff010508251644bdfb681a578fa4726fb56af039d55e0b74682fd7031414f665a98656186b220264c122a47d23751dcee1

C:\Users\Admin\AppData\Local\Temp\F6A0.exe

MD5 9e9e7ad2a575a1ee322b618cb9cfdf05
SHA1 42dba5e712f382a684deb20ededef154c74b24bc
SHA256 1a90eaf03ec44e61a6ee97be6b8757cc12b9d0a5c2904fa3652d651a92bbd6f1
SHA512 0c48cc0988b1153d5442a0409911be9dbee1db5b2ea1d3f12847b12a4e70eb9416600ee079eac58d0c3ac628d388c6037574278f69d0e8e69f7c9f24a127bc5e

C:\Users\Admin\AppData\Roaming\windows_update_253746\pcicapi.dll

MD5 34dfb87e4200d852d1fb45dc48f93cfc
SHA1 35b4e73fb7c8d4c3fefb90b7e7dc19f3e653c641
SHA256 2d6c6200508c0797e6542b195c999f3485c4ef76551aa3c65016587788ba1703
SHA512 f5bb4e700322cbaa5069244812a9b6ce6899ce15b4fd6384a3e8be421e409e4526b2f67fe210394cd47c4685861faf760eff9af77209100b82b2e0655581c9b2

C:\Users\Admin\AppData\Roaming\windows_update_253746\msvcr100.dll

MD5 0e37fbfa79d349d672456923ec5fbbe3
SHA1 4e880fc7625ccf8d9ca799d5b94ce2b1e7597335
SHA256 8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18
SHA512 2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

C:\Users\Admin\AppData\Roaming\windows_update_253746\msvcr100.dll

MD5 0e37fbfa79d349d672456923ec5fbbe3
SHA1 4e880fc7625ccf8d9ca799d5b94ce2b1e7597335
SHA256 8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18
SHA512 2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

C:\Users\Admin\AppData\Roaming\windows_update_253746\MSVCR100.dll

MD5 0e37fbfa79d349d672456923ec5fbbe3
SHA1 4e880fc7625ccf8d9ca799d5b94ce2b1e7597335
SHA256 8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18
SHA512 2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

C:\Users\Admin\AppData\Roaming\windows_update_253746\client32.ini

MD5 874c5276a1fc02b5c6d8de8a84840b39
SHA1 14534f690a2bd59c9dffa2e0ec6d8d7bf6d7d532
SHA256 65f069cb4c4cb4986a5b175ac24d6db46ac443372afc59ce8d17e4a8aa4a5ee2
SHA512 eb5bfe008f98abb855d2f5eee8f31e14c864af05561b7c31f2f454ca8e91518fa091c0bf6b2432a27ca3a4be1a1edd1ce1ec5f60ac37e25a873a9c0211bdb498

C:\Users\Admin\AppData\Roaming\windows_update_253746\HTCTL32.DLL

MD5 c94005d2dcd2a54e40510344e0bb9435
SHA1 55b4a1620c5d0113811242c20bd9870a1e31d542
SHA256 3c072532bf7674d0c5154d4d22a9d9c0173530c0d00f69911cdbc2552175d899
SHA512 2e6f673864a54b1dcad9532ef9b18a9c45c0844f1f53e699fade2f41e43fa5cbc9b8e45e6f37b95f84cf6935a96fba2950ee3e0e9542809fd288fefba34ddd6a

C:\Users\Admin\AppData\Roaming\windows_update_253746\HTCTL32.DLL

MD5 c94005d2dcd2a54e40510344e0bb9435
SHA1 55b4a1620c5d0113811242c20bd9870a1e31d542
SHA256 3c072532bf7674d0c5154d4d22a9d9c0173530c0d00f69911cdbc2552175d899
SHA512 2e6f673864a54b1dcad9532ef9b18a9c45c0844f1f53e699fade2f41e43fa5cbc9b8e45e6f37b95f84cf6935a96fba2950ee3e0e9542809fd288fefba34ddd6a

C:\Users\Admin\AppData\Roaming\windows_update_253746\NSM.LIC

MD5 cf5c9379d49e8627b9adc7c902298212
SHA1 f49d19ca9bc87c0bc3c85a3651716eb9a457bc7e
SHA256 2e944bcfca261a5bc15f012077dc00837b81295f5c19ef8417ad6b65ebdabc71
SHA512 64ef0c20d0e1b6afb9ca9b262397b03dd5051b54a76decaa088b3e932a6ad93a4f6045f3c9ee4c852d3302c374f42a6f7c481287d3507740ec37a09d512b0d6e

C:\Users\Admin\AppData\Roaming\windows_update_253746\PCICHEK.DLL

MD5 104b30fef04433a2d2fd1d5f99f179fe
SHA1 ecb08e224a2f2772d1e53675bedc4b2c50485a41
SHA256 956b9fa960f913cce3137089c601f3c64cc24c54614b02bba62abb9610a985dd
SHA512 5efcaa8c58813c3a0a6026cd7f3b34ad4fb043fd2d458db2e914429be2b819f1ac74e2d35e4439601cf0cb50fcdcafdcf868da328eaaeec15b0a4a6b8b2c218f

C:\Users\Admin\AppData\Roaming\windows_update_253746\pcichek.dll

MD5 104b30fef04433a2d2fd1d5f99f179fe
SHA1 ecb08e224a2f2772d1e53675bedc4b2c50485a41
SHA256 956b9fa960f913cce3137089c601f3c64cc24c54614b02bba62abb9610a985dd
SHA512 5efcaa8c58813c3a0a6026cd7f3b34ad4fb043fd2d458db2e914429be2b819f1ac74e2d35e4439601cf0cb50fcdcafdcf868da328eaaeec15b0a4a6b8b2c218f

C:\Users\Admin\AppData\Roaming\windows_update_253746\PCICL32.DLL

MD5 d3d39180e85700f72aaae25e40c125ff
SHA1 f3404ef6322f5c6e7862b507d05b8f4b7f1c7d15
SHA256 38684adb2183bf320eb308a96cdbde8d1d56740166c3e2596161f42a40fa32d5
SHA512 471ac150e93a182d135e5483d6b1492f08a49f5ccab420732b87210f2188be1577ceaaee4ce162a7acceff5c17cdd08dc51b1904228275f6bbde18022ec79d2f

memory/98012-252-0x0000000000000000-mapping.dmp

memory/97784-253-0x0000000001080000-0x0000000001087000-memory.dmp

memory/97824-255-0x0000000000400000-0x000000000058E000-memory.dmp

memory/98012-256-0x0000000000BB0000-0x0000000000BBF000-memory.dmp

memory/97784-254-0x0000000000C30000-0x0000000000C3B000-memory.dmp

memory/2456-257-0x0000000008080000-0x0000000008090000-memory.dmp

memory/2456-259-0x0000000008080000-0x0000000008090000-memory.dmp

memory/2456-260-0x0000000008080000-0x0000000008090000-memory.dmp

memory/2456-258-0x00000000073F0000-0x0000000007400000-memory.dmp

memory/2456-261-0x0000000008080000-0x0000000008090000-memory.dmp

memory/98204-263-0x0000000000000000-mapping.dmp

memory/2456-266-0x0000000008080000-0x0000000008090000-memory.dmp

memory/98012-265-0x0000000000BC0000-0x0000000000BC9000-memory.dmp

memory/2456-267-0x0000000008080000-0x0000000008090000-memory.dmp

memory/98204-270-0x0000000001190000-0x0000000001195000-memory.dmp

memory/2456-273-0x0000000008080000-0x0000000008090000-memory.dmp

memory/2456-280-0x0000000008080000-0x0000000008090000-memory.dmp

memory/2456-277-0x0000000008080000-0x0000000008090000-memory.dmp

memory/98284-276-0x0000000000000000-mapping.dmp

memory/98204-275-0x0000000001180000-0x0000000001189000-memory.dmp

memory/2456-271-0x0000000008080000-0x0000000008090000-memory.dmp

memory/97544-269-0x0000000060900000-0x0000000060992000-memory.dmp

memory/2456-268-0x0000000008080000-0x0000000008090000-memory.dmp

memory/2456-264-0x0000000008080000-0x0000000008090000-memory.dmp

memory/2456-262-0x0000000008080000-0x0000000008090000-memory.dmp

memory/2456-283-0x0000000008080000-0x0000000008090000-memory.dmp

memory/2456-286-0x0000000008080000-0x0000000008090000-memory.dmp

memory/98284-288-0x0000000000C90000-0x0000000000C9C000-memory.dmp

memory/2456-284-0x0000000007F20000-0x0000000007F30000-memory.dmp

memory/2456-282-0x0000000007F20000-0x0000000007F30000-memory.dmp

memory/2456-291-0x0000000008080000-0x0000000008090000-memory.dmp

memory/2456-293-0x0000000008080000-0x0000000008090000-memory.dmp

memory/97264-290-0x0000000000000000-mapping.dmp

memory/97424-296-0x0000000005970000-0x00000000059E6000-memory.dmp

memory/2456-297-0x0000000008080000-0x0000000008090000-memory.dmp

memory/97264-303-0x00000000004B0000-0x00000000004D2000-memory.dmp

memory/97264-306-0x0000000000480000-0x00000000004A7000-memory.dmp

memory/97424-307-0x0000000005A50000-0x0000000005A6E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1302.exe

MD5 2f60ef19334491b0800f818fe87c42f9
SHA1 a54541d84ffdd10c71053a4da5d2635129c1a5fa
SHA256 2b29136f3622d331c86855ab5298b22a996d7f894bd45c4d4a61a9460dfe2095
SHA512 97459e126e789b9425e8c6ea4afbc1f61732f98bad1539af6455e7154c72affd2b5ee2a6ad258a0da0fd19fd6b332c797be06aa2a757c0df90eed4f4426d5fe4

memory/97180-301-0x0000000000000000-mapping.dmp

memory/97456-300-0x0000000000000000-mapping.dmp

memory/98284-299-0x0000000000CA0000-0x0000000000CA6000-memory.dmp

memory/97180-310-0x0000000000590000-0x0000000000599000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1302.exe

MD5 2f60ef19334491b0800f818fe87c42f9
SHA1 a54541d84ffdd10c71053a4da5d2635129c1a5fa
SHA256 2b29136f3622d331c86855ab5298b22a996d7f894bd45c4d4a61a9460dfe2095
SHA512 97459e126e789b9425e8c6ea4afbc1f61732f98bad1539af6455e7154c72affd2b5ee2a6ad258a0da0fd19fd6b332c797be06aa2a757c0df90eed4f4426d5fe4

C:\ProgramData\nss3.dll

MD5 bfac4e3c5908856ba17d41edcd455a51
SHA1 8eec7e888767aa9e4cca8ff246eb2aacb9170428
SHA256 e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78
SHA512 2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

C:\ProgramData\mozglue.dll

MD5 8f73c08a9660691143661bf7332c3c27
SHA1 37fa65dd737c50fda710fdbde89e51374d0c204a
SHA256 3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd
SHA512 0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

memory/97720-317-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\1302.exe

MD5 2f60ef19334491b0800f818fe87c42f9
SHA1 a54541d84ffdd10c71053a4da5d2635129c1a5fa
SHA256 2b29136f3622d331c86855ab5298b22a996d7f894bd45c4d4a61a9460dfe2095
SHA512 97459e126e789b9425e8c6ea4afbc1f61732f98bad1539af6455e7154c72affd2b5ee2a6ad258a0da0fd19fd6b332c797be06aa2a757c0df90eed4f4426d5fe4

memory/97628-319-0x0000000000000000-mapping.dmp

memory/97628-322-0x0000000001180000-0x000000000118B000-memory.dmp

memory/97628-321-0x0000000001190000-0x0000000001196000-memory.dmp

memory/97180-320-0x00000000005A0000-0x00000000005A5000-memory.dmp

memory/98280-323-0x0000000000000000-mapping.dmp

memory/97124-324-0x0000000000000000-mapping.dmp

memory/97188-325-0x0000000000000000-mapping.dmp

memory/97208-326-0x0000000000000000-mapping.dmp

memory/98280-327-0x0000000000690000-0x0000000000697000-memory.dmp

memory/98280-328-0x0000000000680000-0x000000000068D000-memory.dmp

memory/2856-330-0x0000000000000000-mapping.dmp

memory/3104-329-0x0000000000000000-mapping.dmp

memory/3900-331-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\LocalLow\sqlite3.dll

MD5 dbf4f8dcefb8056dc6bae4b67ff810ce
SHA1 bbac1dd8a07c6069415c04b62747d794736d0689
SHA256 47b64311719000fa8c432165a0fdcdfed735d5b54977b052de915b1cbbbf9d68
SHA512 b572ca2f2e4a5cc93e4fcc7a18c0ae6df888aa4c55bc7da591e316927a4b5cfcbdda6e60018950be891ff3b26f470cc5cce34d217c2d35074322ab84c32a25d1

C:\Users\Admin\AppData\LocalLow\nss3.dll

MD5 f67d08e8c02574cbc2f1122c53bfb976
SHA1 6522992957e7e4d074947cad63189f308a80fcf2
SHA256 c65b7afb05ee2b2687e6280594019068c3d3829182dfe8604ce4adf2116cc46e
SHA512 2e9d0a211d2b085514f181852fae6e7ca6aed4d29f396348bedb59c556e39621810a9a74671566a49e126ec73a60d0f781fa9085eb407df1eefd942c18853be5

C:\Users\Admin\AppData\LocalLow\mozglue.dll

MD5 f07d9977430e762b563eaadc2b94bbfa
SHA1 da0a05b2b8d269fb73558dfcf0ed5c167f6d3877
SHA256 4191faf7e5eb105a0f4c5c6ed3e9e9c71014e8aa39bbee313bc92d1411e9e862
SHA512 6afd512e4099643bba3fc7700dd72744156b78b7bda10263ba1f8571d1e282133a433215a9222a7799f9824f244a2bc80c2816a62de1497017a4b26d562b7eaf

memory/3900-335-0x0000000000750000-0x0000000000758000-memory.dmp

memory/3900-336-0x0000000000740000-0x000000000074B000-memory.dmp

memory/936-337-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\28BE.exe

MD5 f99d573625e45fc9d02bd27d30aa5839
SHA1 e12a9683a34b4e3d06d4f6d07851fa606a2a4556
SHA256 14d138ed08a4f1c0850a93312cec9258bc5a0e8942b57a582e47c258b91cfac6
SHA512 84b39b79549cf9d8b9e23c6c68f39f4a2453cd9322edf29c07534e3ae30a4524df937564a9c51c08f249be691aa97dca3a03e6f3677d6a3256d5e89b9293924d

C:\Users\Admin\AppData\Local\Temp\28BE.exe

MD5 f99d573625e45fc9d02bd27d30aa5839
SHA1 e12a9683a34b4e3d06d4f6d07851fa606a2a4556
SHA256 14d138ed08a4f1c0850a93312cec9258bc5a0e8942b57a582e47c258b91cfac6
SHA512 84b39b79549cf9d8b9e23c6c68f39f4a2453cd9322edf29c07534e3ae30a4524df937564a9c51c08f249be691aa97dca3a03e6f3677d6a3256d5e89b9293924d

memory/97344-340-0x0000000002DB9000-0x0000000002DCA000-memory.dmp

memory/3480-341-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\28BE.exe

MD5 f99d573625e45fc9d02bd27d30aa5839
SHA1 e12a9683a34b4e3d06d4f6d07851fa606a2a4556
SHA256 14d138ed08a4f1c0850a93312cec9258bc5a0e8942b57a582e47c258b91cfac6
SHA512 84b39b79549cf9d8b9e23c6c68f39f4a2453cd9322edf29c07534e3ae30a4524df937564a9c51c08f249be691aa97dca3a03e6f3677d6a3256d5e89b9293924d

memory/936-343-0x0000000004DDE000-0x00000000051C7000-memory.dmp

memory/97344-344-0x0000000000400000-0x0000000002B7E000-memory.dmp

memory/936-345-0x00000000051D0000-0x0000000005A46000-memory.dmp

memory/97824-346-0x0000000000400000-0x000000000058E000-memory.dmp

\??\pipe\crashpad_2096_XQXTJKEGTLEJCUCO

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

MD5 eb12b384d6265240ddbf17207687c61c
SHA1 22b1587468fb41647d620cc4b0a14cc051a1ecc6
SHA256 c86a931924fbfc684cd0d1d34a29bb0a636f8019a7bf349b2f70ab493db89540
SHA512 a714b887b9931b04eefc2d7c6dd3b34d98c26d5bfd0818f07c68c518cd2a8684f138fa128bc83773b48051f86252bc971b74bbd8be188a5f9cfc9ea39ac799ca

C:\Program Files\aieoplapobidheellikiicjfpamacpfd\icon.png

MD5 c8d8c174df68910527edabe6b5278f06
SHA1 8ac53b3605fea693b59027b9b471202d150f266f
SHA256 9434dd7008059a60d6d5ced8c8a63ab5cae407e7152da98ca4dda408510f08f5
SHA512 d439e5124399d1901934319535b7156c0ca8d76b5aa4ddf1dd0b598d43582f6d23c16f96be74d3cd5fe764396da55ca51811d08695f356f12f7a8a71bcc7e45c

C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\content.js

MD5 f79618c53614380c5fdc545699afe890
SHA1 7804a4621cd9405b6def471f3ebedb07fb17e90a
SHA256 f3f30c5c271f80b0a3a329b11d8e72eb404d0c0dc9c66fa162ca97ccaa1e963c
SHA512 c4e0c4df6ac92351591859a7c4358b3dcd342e00051bf561e68e3fcc2c94fdd8d14bd0a042d88dca33f6c7e952938786378d804f56e84b4eab99e2a5fee96a4c

C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\jquery-3.3.1.min.js

MD5 a09e13ee94d51c524b7e2a728c7d4039
SHA1 0dc32db4aa9c5f03f3b38c47d883dbd4fed13aae
SHA256 160a426ff2894252cd7cebbdd6d6b7da8fcd319c65b70468f10b6690c45d02ef
SHA512 f8da8f95b6ed33542a88af19028e18ae3d9ce25350a06bfc3fbf433ed2b38fefa5e639cddfdac703fc6caa7f3313d974b92a3168276b3a016ceb28f27db0714a

C:\Program Files\aieoplapobidheellikiicjfpamacpfd\manifest.json

MD5 6da6b303170ccfdca9d9e75abbfb59f3
SHA1 1a8070080f50a303f73eba253ba49c1e6d400df6
SHA256 66f5620e3bfe4692b14f62baad60e3269327327565ff8b2438e98ce8ed021333
SHA512 872957b63e8a0d10791877e5d204022c08c8e8101807d7ebe6fd537d812ad09e14d8555ccf53dc00525a22c02773aa45b8fa643c05247fb0ce6012382855a89a

C:\Program Files\aieoplapobidheellikiicjfpamacpfd\background.html

MD5 9ffe618d587a0685d80e9f8bb7d89d39
SHA1 8e9cae42c911027aafae56f9b1a16eb8dd7a739c
SHA256 a1064146f622fe68b94cd65a0e8f273b583449fbacfd6fd75fec1eaaf2ec8d6e
SHA512 a4e1f53d1e3bf0ff6893f188a510c6b3da37b99b52ddd560d4c90226cb14de6c9e311ee0a93192b1a26db2d76382eb2350dc30ab9db7cbd9ca0a80a507ea1a12

C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\mode-ecb.js

MD5 23231681d1c6f85fa32e725d6d63b19b
SHA1 f69315530b49ac743b0e012652a3a5efaed94f17
SHA256 03164b1ac43853fecdbf988ce900016fb174cf65b03e41c0a9a7bf3a95e8c26a
SHA512 36860113871707a08401f29ab2828545932e57a4ae99e727d8ca2a9f85518d3db3a4e5e4d46ac2b6ba09494fa9727c033d77c36c4bdc376ae048541222724bc2

C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\pad-nopadding.js

MD5 0f26002ee3b4b4440e5949a969ea7503
SHA1 31fc518828fe4894e8077ec5686dce7b1ed281d7
SHA256 282308ebc3702c44129438f8299839ca4d392a0a09fdf0737f08ef1e4aff937d
SHA512 4290a1aee5601fcbf1eb2beec9b4924c30cd218e94ae099b87ba72c9a4fa077e39d218fc723b8465d259028a6961cc07c0cd6896aa2f67e83f833ca023a80b11

C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\aes.js

MD5 4ff108e4584780dce15d610c142c3e62
SHA1 77e4519962e2f6a9fc93342137dbb31c33b76b04
SHA256 fc7e184beeda61bf6427938a84560f52348976bb55e807b224eb53930e97ef6a
SHA512 d6eee0fc02205a3422c16ad120cad8d871563d8fcd4bde924654eac5a37026726328f9a47240cf89ed6c9e93ba5f89c833e84e65eee7db2b4d7d1b4240deaef2

memory/5296-365-0x0000000000000000-mapping.dmp

memory/5348-366-0x0000000000000000-mapping.dmp

memory/5488-369-0x0000000000000000-mapping.dmp

memory/5584-374-0x0000000000000000-mapping.dmp

memory/5660-375-0x0000000000000000-mapping.dmp

memory/5932-381-0x0000000000000000-mapping.dmp

memory/5900-379-0x0000000000000000-mapping.dmp

memory/6064-383-0x0000000000000000-mapping.dmp

memory/6420-386-0x0000000000000000-mapping.dmp

memory/6480-387-0x0000000000000000-mapping.dmp

memory/6596-392-0x0000000000000000-mapping.dmp

memory/6652-393-0x0000000000000000-mapping.dmp

memory/6692-399-0x0000000000000000-mapping.dmp

memory/6744-400-0x0000000000000000-mapping.dmp

memory/7800-405-0x0000000000000000-mapping.dmp