Malware Analysis Report

2025-06-16 01:50

Sample ID 220909-pc6htsbhem
Target file.exe
SHA256 c28979c726cf60a9bfe8fb473783fb3e86dba470901d3ad459d9065bf85c66b7
Tags
dcrat djvu glupteba netsupport raccoon redline smokeloader socelars 1337 567d5bff28c2a18132d2f88511f07435 mario_new nam5 backdoor discovery dropper evasion infostealer loader persistence ransomware rat spyware stealer trojan upx vmprotect
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c28979c726cf60a9bfe8fb473783fb3e86dba470901d3ad459d9065bf85c66b7

Threat Level: Known bad

The file file.exe was found to be: Known bad.

Malicious Activity Summary

dcrat djvu glupteba netsupport raccoon redline smokeloader socelars 1337 567d5bff28c2a18132d2f88511f07435 mario_new nam5 backdoor discovery dropper evasion infostealer loader persistence ransomware rat spyware stealer trojan upx vmprotect

DcRat

Socelars payload

RedLine

Djvu Ransomware

SmokeLoader

Raccoon

NetSupport

Suspicious use of NtCreateUserProcessOtherParentProcess

Detected Djvu ransomware

RedLine payload

Socelars

Process spawned unexpected child process

Detects Smokeloader packer

Glupteba

Modifies Windows Firewall

UPX packed file

Executes dropped EXE

VMProtect packed file

Downloads MZ/PE file

Reads user/profile data of web browsers

Checks computer location settings

Loads dropped DLL

Drops startup file

Modifies file permissions

Looks up external IP address via web service

Checks installed software on the system

Legitimate hosting services abused for malware hosting/C2

Adds Run key to start application

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of SetThreadContext

Drops file in Windows directory

Launches sc.exe

Drops file in Program Files directory

Program crash

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Delays execution with timeout.exe

Modifies data under HKEY_USERS

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of SetWindowsHookEx

Creates scheduled task(s)

Suspicious behavior: MapViewOfSection

Suspicious behavior: GetForegroundWindowSpam

Kills process with taskkill

Suspicious behavior: EnumeratesProcesses

Checks SCSI registry key(s)

Enumerates system info in registry

Script User-Agent

Suspicious use of SendNotifyMessage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-09-09 12:12

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2022-09-09 12:12

Reported

2022-09-09 12:14

Platform

win10v2004-20220812-en

Max time kernel

134s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Signatures

DcRat

rat infostealer dcrat
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects Smokeloader packer

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Glupteba

loader dropper glupteba

NetSupport

rat netsupport

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\rundll32.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\rundll32.exe

Raccoon

stealer raccoon

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Socelars

stealer socelars

Socelars payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 4264 created 4548 N/A C:\Windows\system32\svchost.exe C:\Users\Admin\AppData\Local\Temp\DAE7.exe
PID 4264 created 4636 N/A C:\Windows\system32\svchost.exe C:\Windows\rss\csrss.exe
PID 4264 created 4636 N/A C:\Windows\system32\svchost.exe C:\Windows\rss\csrss.exe

Downloads MZ/PE file

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1CDE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\444D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6515.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86B8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\903F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9987.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AD00.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AD00.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DAE7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DFAB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DFAB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\E8A5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DAE7.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6DC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\92F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\A59.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\114F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\172C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17F8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\25C4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\172C.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\windows_update_253746\client32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\172C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\172C.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\AD00.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\DFAB.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\25C4.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\172C.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\172C.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\autorunsuport.ini.lnk C:\Users\Admin\AppData\Local\Temp\25C4.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\DAE7.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\79558734-2b13-4a42-93c5-d2a00f6470fd\\172C.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\172C.exe N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\aieoplapobidheellikiicjfpamacpfd\manifest.json C:\Users\Admin\AppData\Local\Temp\9987.exe N/A
File opened for modification C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\jquery-3.3.1.min.js C:\Users\Admin\AppData\Local\Temp\E8A5.exe N/A
File opened for modification C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\pad-nopadding.js C:\Users\Admin\AppData\Local\Temp\E8A5.exe N/A
File opened for modification C:\Program Files\aieoplapobidheellikiicjfpamacpfd\manifest.json C:\Users\Admin\AppData\Local\Temp\E8A5.exe N/A
File created C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\background.js C:\Users\Admin\AppData\Local\Temp\9987.exe N/A
File created C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\jquery-3.3.1.min.js C:\Users\Admin\AppData\Local\Temp\9987.exe N/A
File opened for modification C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\background.js C:\Users\Admin\AppData\Local\Temp\9987.exe N/A
File opened for modification C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\aes.js C:\Users\Admin\AppData\Local\Temp\E8A5.exe N/A
File created C:\Program Files\aieoplapobidheellikiicjfpamacpfd\background.html C:\Users\Admin\AppData\Local\Temp\9987.exe N/A
File created C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\aes.js C:\Users\Admin\AppData\Local\Temp\9987.exe N/A
File opened for modification C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\background.js C:\Users\Admin\AppData\Local\Temp\E8A5.exe N/A
File opened for modification C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\mode-ecb.js C:\Users\Admin\AppData\Local\Temp\E8A5.exe N/A
File created C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\pad-nopadding.js C:\Users\Admin\AppData\Local\Temp\9987.exe N/A
File opened for modification C:\Program Files\aieoplapobidheellikiicjfpamacpfd\background.html C:\Users\Admin\AppData\Local\Temp\E8A5.exe N/A
File created C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\mode-ecb.js C:\Users\Admin\AppData\Local\Temp\9987.exe N/A
File opened for modification C:\Program Files\aieoplapobidheellikiicjfpamacpfd\icon.png C:\Users\Admin\AppData\Local\Temp\E8A5.exe N/A
File opened for modification C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\content.js C:\Users\Admin\AppData\Local\Temp\E8A5.exe N/A
File created C:\Program Files\aieoplapobidheellikiicjfpamacpfd\icon.png C:\Users\Admin\AppData\Local\Temp\9987.exe N/A
File created C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\content.js C:\Users\Admin\AppData\Local\Temp\9987.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\DAE7.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\DAE7.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\444D.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\6515.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\6515.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\6515.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\444D.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\444D.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time" C:\Users\Admin\AppData\Local\Temp\DAE7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\DAE7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time" C:\Users\Admin\AppData\Local\Temp\DAE7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1842 = "Russia TZ 4 Standard Time" C:\Users\Admin\AppData\Local\Temp\DAE7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2771 = "Omsk Daylight Time" C:\Users\Admin\AppData\Local\Temp\DAE7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time" C:\Users\Admin\AppData\Local\Temp\DAE7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\DAE7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2512 = "Lord Howe Standard Time" C:\Users\Admin\AppData\Local\Temp\DAE7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time" C:\Users\Admin\AppData\Local\Temp\DAE7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2751 = "Tomsk Daylight Time" C:\Users\Admin\AppData\Local\Temp\DAE7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time" C:\Users\Admin\AppData\Local\Temp\DAE7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2161 = "Altai Daylight Time" C:\Users\Admin\AppData\Local\Temp\DAE7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time" C:\Users\Admin\AppData\Local\Temp\DAE7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time" C:\Users\Admin\AppData\Local\Temp\DAE7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\DAE7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\DAE7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2592 = "Tocantins Standard Time" C:\Users\Admin\AppData\Local\Temp\DAE7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time" C:\Users\Admin\AppData\Local\Temp\DAE7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2372 = "Easter Island Standard Time" C:\Users\Admin\AppData\Local\Temp\DAE7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time" C:\Users\Admin\AppData\Local\Temp\DAE7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time" C:\Users\Admin\AppData\Local\Temp\DAE7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time" C:\Users\Admin\AppData\Local\Temp\DAE7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\DAE7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time" C:\Users\Admin\AppData\Local\Temp\DAE7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time" C:\Users\Admin\AppData\Local\Temp\DAE7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time" C:\Users\Admin\AppData\Local\Temp\DAE7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1832 = "Russia TZ 2 Standard Time" C:\Users\Admin\AppData\Local\Temp\DAE7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2182 = "Astrakhan Standard Time" C:\Users\Admin\AppData\Local\Temp\DAE7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-292 = "Central European Standard Time" C:\Users\Admin\AppData\Local\Temp\DAE7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1871 = "Russia TZ 7 Daylight Time" C:\Users\Admin\AppData\Local\Temp\DAE7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-3052 = "Qyzylorda Standard Time" C:\Users\Admin\AppData\Local\Temp\DAE7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time" C:\Users\Admin\AppData\Local\Temp\DAE7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time" C:\Users\Admin\AppData\Local\Temp\DAE7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time" C:\Users\Admin\AppData\Local\Temp\DAE7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time" C:\Users\Admin\AppData\Local\Temp\DAE7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time" C:\Users\Admin\AppData\Local\Temp\DAE7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2791 = "Novosibirsk Daylight Time" C:\Users\Admin\AppData\Local\Temp\DAE7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time" C:\Users\Admin\AppData\Local\Temp\DAE7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time" C:\Users\Admin\AppData\Local\Temp\DAE7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time" C:\Users\Admin\AppData\Local\Temp\DAE7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time" C:\Users\Admin\AppData\Local\Temp\DAE7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2632 = "Norfolk Standard Time" C:\Users\Admin\AppData\Local\Temp\DAE7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1872 = "Russia TZ 7 Standard Time" C:\Users\Admin\AppData\Local\Temp\DAE7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2942 = "Sao Tome Standard Time" C:\Users\Admin\AppData\Local\Temp\DAE7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time" C:\Users\Admin\AppData\Local\Temp\DAE7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time" C:\Users\Admin\AppData\Local\Temp\DAE7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time" C:\Users\Admin\AppData\Local\Temp\DAE7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time" C:\Users\Admin\AppData\Local\Temp\DAE7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1802 = "Line Islands Standard Time" C:\Users\Admin\AppData\Local\Temp\DAE7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\DAE7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time" C:\Users\Admin\AppData\Local\Temp\DAE7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time" C:\Users\Admin\AppData\Local\Temp\DAE7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\DAE7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2062 = "North Korea Standard Time" C:\Users\Admin\AppData\Local\Temp\DAE7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time" C:\Users\Admin\AppData\Local\Temp\DAE7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2871 = "Magallanes Daylight Time" C:\Users\Admin\AppData\Local\Temp\DAE7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2892 = "Sudan Standard Time" C:\Users\Admin\AppData\Local\Temp\DAE7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2141 = "Transbaikal Daylight Time" C:\Users\Admin\AppData\Local\Temp\DAE7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time" C:\Users\Admin\AppData\Local\Temp\DAE7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time" C:\Users\Admin\AppData\Local\Temp\DAE7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time" C:\Users\Admin\AppData\Local\Temp\DAE7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1911 = "Russia TZ 10 Daylight Time" C:\Users\Admin\AppData\Local\Temp\DAE7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\DAE7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time" C:\Users\Admin\AppData\Local\Temp\DAE7.exe N/A

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\444D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6515.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1CDE.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9987.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9987.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9987.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9987.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9987.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9987.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9987.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9987.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9987.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\9987.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\9987.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9987.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9987.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\9987.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9987.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9987.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\9987.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9987.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9987.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9987.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9987.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9987.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9987.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9987.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9987.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9987.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\9987.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\9987.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9987.exe N/A
Token: 31 N/A C:\Users\Admin\AppData\Local\Temp\9987.exe N/A
Token: 32 N/A C:\Users\Admin\AppData\Local\Temp\9987.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\9987.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\9987.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\9987.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\windows_update_253746\client32.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 512 wrote to memory of 2200 N/A N/A C:\Users\Admin\AppData\Local\Temp\1CDE.exe
PID 512 wrote to memory of 2200 N/A N/A C:\Users\Admin\AppData\Local\Temp\1CDE.exe
PID 512 wrote to memory of 2200 N/A N/A C:\Users\Admin\AppData\Local\Temp\1CDE.exe
PID 512 wrote to memory of 1948 N/A N/A C:\Users\Admin\AppData\Local\Temp\444D.exe
PID 512 wrote to memory of 1948 N/A N/A C:\Users\Admin\AppData\Local\Temp\444D.exe
PID 512 wrote to memory of 1948 N/A N/A C:\Users\Admin\AppData\Local\Temp\444D.exe
PID 512 wrote to memory of 736 N/A N/A C:\Users\Admin\AppData\Local\Temp\6515.exe
PID 512 wrote to memory of 736 N/A N/A C:\Users\Admin\AppData\Local\Temp\6515.exe
PID 512 wrote to memory of 736 N/A N/A C:\Users\Admin\AppData\Local\Temp\6515.exe
PID 512 wrote to memory of 1372 N/A N/A C:\Windows\system32\regsvr32.exe
PID 512 wrote to memory of 1372 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1372 wrote to memory of 4316 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1372 wrote to memory of 4316 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1372 wrote to memory of 4316 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 512 wrote to memory of 936 N/A N/A C:\Users\Admin\AppData\Local\Temp\86B8.exe
PID 512 wrote to memory of 936 N/A N/A C:\Users\Admin\AppData\Local\Temp\86B8.exe
PID 512 wrote to memory of 936 N/A N/A C:\Users\Admin\AppData\Local\Temp\86B8.exe
PID 512 wrote to memory of 46556 N/A N/A C:\Users\Admin\AppData\Local\Temp\903F.exe
PID 512 wrote to memory of 46556 N/A N/A C:\Users\Admin\AppData\Local\Temp\903F.exe
PID 512 wrote to memory of 46832 N/A N/A C:\Users\Admin\AppData\Local\Temp\9987.exe
PID 512 wrote to memory of 46832 N/A N/A C:\Users\Admin\AppData\Local\Temp\9987.exe
PID 512 wrote to memory of 46832 N/A N/A C:\Users\Admin\AppData\Local\Temp\9987.exe
PID 936 wrote to memory of 59216 N/A C:\Users\Admin\AppData\Local\Temp\86B8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 936 wrote to memory of 59216 N/A C:\Users\Admin\AppData\Local\Temp\86B8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 936 wrote to memory of 59216 N/A C:\Users\Admin\AppData\Local\Temp\86B8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 936 wrote to memory of 59216 N/A C:\Users\Admin\AppData\Local\Temp\86B8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 936 wrote to memory of 59216 N/A C:\Users\Admin\AppData\Local\Temp\86B8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 46832 wrote to memory of 46688 N/A C:\Users\Admin\AppData\Local\Temp\9987.exe C:\Windows\SysWOW64\cmd.exe
PID 46832 wrote to memory of 46688 N/A C:\Users\Admin\AppData\Local\Temp\9987.exe C:\Windows\SysWOW64\cmd.exe
PID 46832 wrote to memory of 46688 N/A C:\Users\Admin\AppData\Local\Temp\9987.exe C:\Windows\SysWOW64\cmd.exe
PID 46688 wrote to memory of 59292 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 46688 wrote to memory of 59292 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 46688 wrote to memory of 59292 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 512 wrote to memory of 59476 N/A N/A C:\Users\Admin\AppData\Local\Temp\AD00.exe
PID 512 wrote to memory of 59476 N/A N/A C:\Users\Admin\AppData\Local\Temp\AD00.exe
PID 512 wrote to memory of 59476 N/A N/A C:\Users\Admin\AppData\Local\Temp\AD00.exe
PID 59476 wrote to memory of 59560 N/A C:\Users\Admin\AppData\Local\Temp\AD00.exe C:\Users\Admin\AppData\Local\Temp\AD00.exe
PID 59476 wrote to memory of 59560 N/A C:\Users\Admin\AppData\Local\Temp\AD00.exe C:\Users\Admin\AppData\Local\Temp\AD00.exe
PID 59476 wrote to memory of 59560 N/A C:\Users\Admin\AppData\Local\Temp\AD00.exe C:\Users\Admin\AppData\Local\Temp\AD00.exe
PID 59668 wrote to memory of 59692 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 59668 wrote to memory of 59692 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 59668 wrote to memory of 59692 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 46832 wrote to memory of 59736 N/A C:\Users\Admin\AppData\Local\Temp\9987.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 46832 wrote to memory of 59736 N/A C:\Users\Admin\AppData\Local\Temp\9987.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 59736 wrote to memory of 59772 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 59736 wrote to memory of 59772 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 59736 wrote to memory of 60012 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 59736 wrote to memory of 60012 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 59736 wrote to memory of 60012 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 59736 wrote to memory of 60012 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 59736 wrote to memory of 60012 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 59736 wrote to memory of 60012 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 59736 wrote to memory of 60012 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 59736 wrote to memory of 60012 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 59736 wrote to memory of 60012 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 59736 wrote to memory of 60012 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 59736 wrote to memory of 60012 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 59736 wrote to memory of 60012 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 59736 wrote to memory of 60012 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 59736 wrote to memory of 60012 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 59736 wrote to memory of 60012 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 59736 wrote to memory of 60012 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 59736 wrote to memory of 60012 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 59736 wrote to memory of 60012 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe

Processes

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Users\Admin\AppData\Local\Temp\1CDE.exe

C:\Users\Admin\AppData\Local\Temp\1CDE.exe

C:\Users\Admin\AppData\Local\Temp\444D.exe

C:\Users\Admin\AppData\Local\Temp\444D.exe

C:\Users\Admin\AppData\Local\Temp\6515.exe

C:\Users\Admin\AppData\Local\Temp\6515.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2200 -ip 2200

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2200 -s 1484

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\70BE.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\70BE.dll

C:\Users\Admin\AppData\Local\Temp\86B8.exe

C:\Users\Admin\AppData\Local\Temp\86B8.exe

C:\Users\Admin\AppData\Local\Temp\903F.exe

C:\Users\Admin\AppData\Local\Temp\903F.exe

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 488 -p 46556 -ip 46556

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 46556 -s 424

C:\Users\Admin\AppData\Local\Temp\9987.exe

C:\Users\Admin\AppData\Local\Temp\9987.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 936 -ip 936

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 936 -s 55872

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im chrome.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im chrome.exe

C:\Users\Admin\AppData\Local\Temp\AD00.exe

C:\Users\Admin\AppData\Local\Temp\AD00.exe

C:\Users\Admin\AppData\Local\Temp\AD00.exe

"C:\Users\Admin\AppData\Local\Temp\AD00.exe" -h

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 59692 -ip 59692

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 59692 -s 600

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0x100,0x104,0x108,0xd8,0x10c,0x7ff99e394f50,0x7ff99e394f60,0x7ff99e394f70

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1624,2971478430761053211,5813172249623539184,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1660 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1624,2971478430761053211,5813172249623539184,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2016 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1624,2971478430761053211,5813172249623539184,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2300 /prefetch:8

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,2971478430761053211,5813172249623539184,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3020 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,2971478430761053211,5813172249623539184,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3160 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,2971478430761053211,5813172249623539184,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3624 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,2971478430761053211,5813172249623539184,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4088 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,2971478430761053211,5813172249623539184,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4780 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,2971478430761053211,5813172249623539184,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4892 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,2971478430761053211,5813172249623539184,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5048 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\DAE7.exe

C:\Users\Admin\AppData\Local\Temp\DAE7.exe

C:\Users\Admin\AppData\Local\Temp\DFAB.exe

C:\Users\Admin\AppData\Local\Temp\DFAB.exe

C:\Users\Admin\AppData\Local\Temp\DFAB.exe

"C:\Users\Admin\AppData\Local\Temp\DFAB.exe" -h

C:\Users\Admin\AppData\Local\Temp\E8A5.exe

C:\Users\Admin\AppData\Local\Temp\E8A5.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1624,2971478430761053211,5813172249623539184,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4796 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1624,2971478430761053211,5813172249623539184,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5428 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1624,2971478430761053211,5813172249623539184,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5688 /prefetch:8

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 2008 -ip 2008

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2008 -s 600

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,2971478430761053211,5813172249623539184,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4716 /prefetch:8

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1624,2971478430761053211,5813172249623539184,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3788 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\DAE7.exe

"C:\Users\Admin\AppData\Local\Temp\DAE7.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,2971478430761053211,5813172249623539184,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5280 /prefetch:8

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im chrome.exe

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Users\Admin\AppData\Local\Temp\6DC.exe

C:\Users\Admin\AppData\Local\Temp\6DC.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff99e394f50,0x7ff99e394f60,0x7ff99e394f70

C:\Users\Admin\AppData\Local\Temp\92F.exe

C:\Users\Admin\AppData\Local\Temp\92F.exe

C:\Users\Admin\AppData\Local\Temp\A59.exe

C:\Users\Admin\AppData\Local\Temp\A59.exe

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 568 -p 2240 -ip 2240

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1960,7714334580007657268,8699593344178589132,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2068 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1960,7714334580007657268,8699593344178589132,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2864 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1960,7714334580007657268,8699593344178589132,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2856 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1960,7714334580007657268,8699593344178589132,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2028 /prefetch:8

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2240 -s 424

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1960,7714334580007657268,8699593344178589132,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=2 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3464 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\114F.exe

C:\Users\Admin\AppData\Local\Temp\114F.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1960,7714334580007657268,8699593344178589132,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3832 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1960,7714334580007657268,8699593344178589132,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1952 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\172C.exe

C:\Users\Admin\AppData\Local\Temp\172C.exe

C:\Users\Admin\AppData\Local\Temp\17F8.exe

C:\Users\Admin\AppData\Local\Temp\17F8.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1960,7714334580007657268,8699593344178589132,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4760 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1960,7714334580007657268,8699593344178589132,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4892 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1960,7714334580007657268,8699593344178589132,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5020 /prefetch:8

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\25C4.exe

C:\Users\Admin\AppData\Local\Temp\25C4.exe

C:\Users\Admin\AppData\Local\Temp\172C.exe

C:\Users\Admin\AppData\Local\Temp\172C.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Users\Admin\AppData\Roaming\windows_update_253746\client32.exe

"C:\Users\Admin\AppData\Roaming\windows_update_253746\client32.exe"

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 6172 -ip 6172

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 6172 -s 872

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\79558734-2b13-4a42-93c5-d2a00f6470fd" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Users\Admin\AppData\Local\Temp\172C.exe

"C:\Users\Admin\AppData\Local\Temp\172C.exe" --Admin IsNotAutoStart IsNotTask

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1960,7714334580007657268,8699593344178589132,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5572 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1960,7714334580007657268,8699593344178589132,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5328 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1960,7714334580007657268,8699593344178589132,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5344 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1960,7714334580007657268,8699593344178589132,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5448 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1960,7714334580007657268,8699593344178589132,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5400 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1960,7714334580007657268,8699593344178589132,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5612 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\172C.exe

"C:\Users\Admin\AppData\Local\Temp\172C.exe" --Admin IsNotAutoStart IsNotTask

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1960,7714334580007657268,8699593344178589132,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5088 /prefetch:1

C:\Users\Admin\AppData\Local\4a203763-dfa1-4248-b173-f19b1df0c0a8\build2.exe

"C:\Users\Admin\AppData\Local\4a203763-dfa1-4248-b173-f19b1df0c0a8\build2.exe"

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\tor.exe

"C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\tor.exe" --nt-service -f "C:\Users\Admin\AppData\Local\Temp\csrss\tor\torrc" --Log "notice file C:\Users\Admin\AppData\Local\Temp\csrss\tor\log.txt"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WmiPrvSE D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WmiPrvSE D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 5756 -ip 5756

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5756 -s 1504

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Users\Admin\AppData\Local\4a203763-dfa1-4248-b173-f19b1df0c0a8\build2.exe

"C:\Users\Admin\AppData\Local\4a203763-dfa1-4248-b173-f19b1df0c0a8\build2.exe"

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c taskkill /im build2.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\4a203763-dfa1-4248-b173-f19b1df0c0a8\build2.exe" & del C:\PrograData\*.dll & exit

C:\Windows\SysWOW64\taskkill.exe

taskkill /im build2.exe /f

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\timeout.exe

timeout /t 6

Network

Country Destination Domain Proto
US 209.197.3.8:80 tcp
US 93.184.220.29:80 tcp
US 8.8.8.8:53 monsutiur4.com udp
NL 185.237.206.60:80 monsutiur4.com tcp
DE 51.116.253.168:443 tcp
US 8.8.8.8:53 nusurionuy5ff.at udp
US 8.8.8.8:53 moroitomo4.net udp
US 8.8.8.8:53 susuerulianita1.net udp
US 8.8.8.8:53 cucumbetuturel4.com udp
US 8.8.8.8:53 nunuslushau.com udp
US 8.8.8.8:53 linislominyt11.at udp
RO 109.98.58.98:80 linislominyt11.at tcp
RO 109.98.58.98:80 linislominyt11.at tcp
RO 109.98.58.98:80 linislominyt11.at tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
NL 104.80.225.205:443 tcp
RU 78.153.144.84:27027 tcp
RO 109.98.58.98:80 linislominyt11.at tcp
RU 85.192.63.184:80 85.192.63.184 tcp
RO 109.98.58.98:80 linislominyt11.at tcp
RO 109.98.58.98:80 linislominyt11.at tcp
RO 109.98.58.98:80 linislominyt11.at tcp
RO 109.98.58.98:80 linislominyt11.at tcp
RO 109.98.58.98:80 linislominyt11.at tcp
RO 109.98.58.98:80 linislominyt11.at tcp
RO 109.98.58.98:80 linislominyt11.at tcp
RO 109.98.58.98:80 linislominyt11.at tcp
US 8.8.8.8:53 edx.ajn322aa.com udp
US 172.67.206.40:443 edx.ajn322aa.com tcp
RO 109.98.58.98:80 linislominyt11.at tcp
RO 109.98.58.98:80 linislominyt11.at tcp
US 8.8.8.8:53 www.mp3infonice.top udp
DE 161.97.101.255:80 www.mp3infonice.top tcp
RO 109.98.58.98:80 linislominyt11.at tcp
US 8.8.8.8:53 www.icodeps.com udp
US 149.28.253.196:443 www.icodeps.com tcp
RU 176.122.23.55:11768 tcp
US 8.8.8.8:53 ocsp.trust-provider.cn udp
NL 47.246.48.208:80 ocsp.trust-provider.cn tcp
US 8.8.8.8:53 ojinsei.com udp
RU 178.20.42.96:80 ojinsei.com tcp
US 8.8.8.8:53 iplogger.org udp
DE 148.251.234.83:443 iplogger.org tcp
RO 109.98.58.98:80 linislominyt11.at tcp
US 8.8.8.8:53 i.xyzgamei.com udp
US 104.21.86.228:443 i.xyzgamei.com tcp
US 8.8.8.8:53 b.game2723.com udp
US 188.114.96.0:443 b.game2723.com tcp
RO 109.98.58.98:80 linislominyt11.at tcp
RO 109.98.58.98:80 linislominyt11.at tcp
US 8.8.8.8:53 v.xyzgamev.com udp
US 172.67.188.70:443 v.xyzgamev.com tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 fergrt.s3.us-west-2.amazonaws.com udp
US 8.8.8.8:53 m.facebook.com udp
US 8.8.8.8:53 clients2.google.com udp
NL 157.240.247.35:443 m.facebook.com tcp
NL 142.251.36.45:443 accounts.google.com udp
NL 172.217.168.238:443 clients2.google.com udp
US 52.92.195.122:443 fergrt.s3.us-west-2.amazonaws.com tcp
US 8.8.8.8:53 edgedl.me.gvt1.com udp
US 34.104.35.123:80 edgedl.me.gvt1.com tcp
US 8.8.8.8:53 secure.facebook.com udp
ES 31.13.83.17:443 secure.facebook.com tcp
US 8.8.8.8:53 www.facebook.com udp
US 8.8.8.8:53 apis.google.com udp
ES 31.13.83.36:443 www.facebook.com tcp
NL 216.58.214.14:443 apis.google.com tcp
US 8.8.8.8:53 www.sadcsaheec.xyz udp
US 104.21.82.236:80 www.sadcsaheec.xyz tcp
US 8.8.8.8:53 dns.google udp
US 8.8.4.4:443 dns.google tcp
US 8.8.4.4:443 dns.google tcp
US 8.8.8.8:53 trustnero.com udp
US 104.21.1.91:443 trustnero.com tcp
US 8.8.8.8:53 fakermet.com udp
US 104.21.14.22:443 fakermet.com tcp
RO 109.98.58.98:80 linislominyt11.at tcp
RO 109.98.58.98:80 linislominyt11.at tcp
US 8.8.4.4:443 dns.google udp
RO 109.98.58.98:80 linislominyt11.at tcp
US 172.67.188.70:443 v.xyzgamev.com tcp
RO 109.98.58.98:80 linislominyt11.at tcp
NL 216.58.208.99:443 ssl.gstatic.com tcp
RO 109.98.58.98:80 linislominyt11.at tcp
RO 109.98.58.98:80 linislominyt11.at tcp
US 149.28.253.196:443 www.icodeps.com tcp
DE 148.251.234.83:443 iplogger.org tcp
US 8.8.8.8:53 kanzay.biz udp
RU 178.20.42.96:80 kanzay.biz tcp
RU 178.20.42.96:80 kanzay.biz tcp
RU 178.20.42.96:80 kanzay.biz tcp
RU 178.20.42.96:80 kanzay.biz tcp
RU 178.20.42.96:80 kanzay.biz tcp
RU 178.20.42.96:80 kanzay.biz tcp
RU 178.20.42.96:80 kanzay.biz tcp
RU 178.20.42.96:80 kanzay.biz tcp
RU 178.20.42.96:80 kanzay.biz tcp
RU 178.20.42.96:80 kanzay.biz tcp
RU 178.20.42.96:80 kanzay.biz tcp
US 8.8.8.8:53 github.com udp
US 140.82.114.3:443 github.com tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
RU 178.20.42.96:80 kanzay.biz tcp
RU 178.20.42.96:80 kanzay.biz tcp
RU 178.20.42.96:80 kanzay.biz tcp
US 8.8.8.8:53 www.oovi.it udp
IT 217.64.195.204:80 www.oovi.it tcp
RU 178.20.42.96:80 kanzay.biz tcp
RU 178.20.42.96:80 kanzay.biz tcp
RO 109.98.58.98:80 linislominyt11.at tcp
RU 178.20.42.96:80 kanzay.biz tcp
RU 178.20.42.96:80 kanzay.biz tcp
RO 109.98.58.98:80 linislominyt11.at tcp
RU 178.20.42.96:80 kanzay.biz tcp
RU 178.20.42.96:80 kanzay.biz tcp
RU 85.192.63.184:80 85.192.63.184 tcp
RO 109.98.58.98:80 linislominyt11.at tcp
RU 178.20.42.96:80 kanzay.biz tcp
RU 178.20.42.96:80 kanzay.biz tcp
US 8.8.8.8:53 fergrt.s3.us-west-2.amazonaws.com udp
NL 172.217.168.238:443 clients2.google.com tcp
NL 157.240.247.35:443 m.facebook.com tcp
NL 142.251.36.45:443 accounts.google.com tcp
US 52.92.196.250:443 fergrt.s3.us-west-2.amazonaws.com tcp
US 52.92.196.250:443 fergrt.s3.us-west-2.amazonaws.com tcp
US 34.104.35.123:80 edgedl.me.gvt1.com tcp
ES 31.13.83.17:443 secure.facebook.com tcp
ES 31.13.83.36:443 www.facebook.com tcp
US 104.21.82.236:80 www.sadcsaheec.xyz tcp
RU 78.153.144.6:2510 tcp
US 8.8.4.4:443 dns.google tcp
US 8.8.4.4:443 dns.google tcp
VN 103.89.90.61:34589 tcp
RU 178.20.42.96:80 kanzay.biz tcp
RU 178.20.42.96:80 kanzay.biz tcp
RU 178.20.42.96:80 kanzay.biz tcp
DE 116.203.167.5:80 116.203.167.5 tcp
RU 178.20.42.96:80 kanzay.biz tcp
US 8.8.8.8:53 api.2ip.ua udp
NL 162.0.217.254:443 api.2ip.ua tcp
US 8.8.8.8:53 60589974-54e9-4696-b5ac-dd108d86a283.uuid.dg2sz7pxs7llf2t25fsbutlvvrjij4pmojugn75cmxnvoshmju6dzcad.onion udp
US 8.8.8.8:53 ysanhumeg1.com udp
US 8.8.8.8:53 geo.netsupportsoftware.com udp
GB 62.172.138.35:80 geo.netsupportsoftware.com tcp
US 140.82.15.232:2970 ysanhumeg1.com tcp
US 8.8.8.8:53 sofolisk.com udp
NL 162.0.217.254:443 api.2ip.ua tcp
US 8.8.8.8:53 rgyui.top udp
US 8.8.8.8:53 acacaca.org udp
CO 190.147.189.122:80 rgyui.top tcp
RO 109.98.58.98:80 acacaca.org tcp
US 8.8.4.4:443 dns.google tcp
RO 109.98.58.98:80 acacaca.org tcp
US 204.79.197.200:443 tcp
US 8.8.8.8:53 stun3.l.google.com udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 74.125.204.127:19302 stun3.l.google.com udp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 sofolisk.com udp
US 66.23.227.135:443 tcp
LU 107.189.6.61:443 tcp
MD 178.17.170.135:9001 tcp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
DE 116.202.179.139:80 116.202.179.139 tcp
NL 45.66.33.45:443 tcp
US 50.220.99.34:443 tcp
SE 151.177.105.31:9001 tcp
FR 51.159.177.222:443 tcp

Files

memory/4004-132-0x0000000002D8D000-0x0000000002D9E000-memory.dmp

memory/4004-133-0x00000000048B0000-0x00000000048B9000-memory.dmp

memory/4004-134-0x0000000000400000-0x0000000002B7E000-memory.dmp

memory/4004-135-0x0000000000400000-0x0000000002B7E000-memory.dmp

memory/2200-136-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\1CDE.exe

MD5 7ee26071eccd624c58596bb7e356c8c3
SHA1 2c61201ce36e236c30c350bfae82fa74d21c89cb
SHA256 69fde9e6449ac4f800f47188a10e04db056c0b570876b254c93d3a8d94d2016b
SHA512 7cd53f55077e02d2982c15963da8ad0ccb254063196c21a8cc0803f474a86ddf5e8ba48c4d6b8f74020074b76319fde082fcc12bedd7c69e75e3597f2ec5f562

C:\Users\Admin\AppData\Local\Temp\1CDE.exe

MD5 7ee26071eccd624c58596bb7e356c8c3
SHA1 2c61201ce36e236c30c350bfae82fa74d21c89cb
SHA256 69fde9e6449ac4f800f47188a10e04db056c0b570876b254c93d3a8d94d2016b
SHA512 7cd53f55077e02d2982c15963da8ad0ccb254063196c21a8cc0803f474a86ddf5e8ba48c4d6b8f74020074b76319fde082fcc12bedd7c69e75e3597f2ec5f562

memory/2200-139-0x00000000009B9000-0x00000000009EA000-memory.dmp

memory/2200-140-0x0000000000920000-0x000000000095E000-memory.dmp

memory/2200-141-0x0000000000400000-0x000000000086C000-memory.dmp

memory/2200-142-0x0000000004F30000-0x00000000054D4000-memory.dmp

memory/2200-143-0x0000000005560000-0x00000000055F2000-memory.dmp

memory/2200-144-0x00000000058B0000-0x0000000005EC8000-memory.dmp

memory/2200-145-0x00000000056D0000-0x00000000057DA000-memory.dmp

memory/2200-146-0x0000000005800000-0x0000000005812000-memory.dmp

memory/2200-147-0x0000000005820000-0x000000000585C000-memory.dmp

memory/1948-148-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\444D.exe

MD5 43b8954e8abf124849b8a0cc178937a4
SHA1 ce2395780e2ad5ec8dc89fdc0d22180d5cb648c6
SHA256 675fd5dc0b60f4210f218e3726f9c47c26a23a0eb796ea73a3c0eb8de7355770
SHA512 5afb02eeb7226103bf0845e47be52117087cdff4d8535d59380d05c24fb00b68aa92d17370aa9abc2d136e9c8046c8342b51d91447d91388277c53218d2e3d89

C:\Users\Admin\AppData\Local\Temp\444D.exe

MD5 43b8954e8abf124849b8a0cc178937a4
SHA1 ce2395780e2ad5ec8dc89fdc0d22180d5cb648c6
SHA256 675fd5dc0b60f4210f218e3726f9c47c26a23a0eb796ea73a3c0eb8de7355770
SHA512 5afb02eeb7226103bf0845e47be52117087cdff4d8535d59380d05c24fb00b68aa92d17370aa9abc2d136e9c8046c8342b51d91447d91388277c53218d2e3d89

memory/1948-151-0x0000000002CC9000-0x0000000002CDA000-memory.dmp

memory/1948-152-0x0000000002C90000-0x0000000002C99000-memory.dmp

memory/2200-153-0x0000000006140000-0x00000000061A6000-memory.dmp

memory/1948-154-0x0000000000400000-0x0000000002B7F000-memory.dmp

memory/2200-155-0x0000000006980000-0x0000000006B42000-memory.dmp

memory/2200-156-0x0000000006B50000-0x000000000707C000-memory.dmp

memory/2200-157-0x00000000009B9000-0x00000000009EA000-memory.dmp

memory/1948-158-0x0000000000400000-0x0000000002B7F000-memory.dmp

memory/736-159-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\6515.exe

MD5 07a8bc35ca1632555dd46a6867f22dd7
SHA1 1feb0c4429e48bb877e9110c05a0a6022a3abacd
SHA256 496e0e9f8c0f4239f5ef32035a628fba3179722ae147e016ae72ae3a6d067433
SHA512 195fc4cb02c51bb0c4095c1657ab927e9efe5299067132c331fd183beae07a7cb4acf8824efa344ecba139bb20869894924701944241cc004a414092b8ef479b

C:\Users\Admin\AppData\Local\Temp\6515.exe

MD5 07a8bc35ca1632555dd46a6867f22dd7
SHA1 1feb0c4429e48bb877e9110c05a0a6022a3abacd
SHA256 496e0e9f8c0f4239f5ef32035a628fba3179722ae147e016ae72ae3a6d067433
SHA512 195fc4cb02c51bb0c4095c1657ab927e9efe5299067132c331fd183beae07a7cb4acf8824efa344ecba139bb20869894924701944241cc004a414092b8ef479b

memory/736-162-0x0000000002EB9000-0x0000000002ECA000-memory.dmp

memory/2200-163-0x00000000009B9000-0x00000000009EA000-memory.dmp

memory/2200-164-0x0000000000400000-0x000000000086C000-memory.dmp

memory/736-165-0x0000000000400000-0x0000000002B7E000-memory.dmp

memory/1372-166-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\70BE.dll

MD5 43aa7572e12c1a6abc3693dc21263f3c
SHA1 03407624fb118ad0ee214a597e034e96da83dc5b
SHA256 3446ad49d514cc5847556076ec821602a48353fd794647b0df6092a2e5db0e8c
SHA512 f7660d97d2f7882b99d931b13c7a0b5ef74350dffffbdcdad01259e19cbd5fa3d6597c6d96b0fa937a07e6b88f6e977f2e3f1fd1c50dfa22c32151061d773071

memory/4316-168-0x0000000000000000-mapping.dmp

memory/4316-171-0x0000000002370000-0x00000000024AF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\70BE.dll

MD5 43aa7572e12c1a6abc3693dc21263f3c
SHA1 03407624fb118ad0ee214a597e034e96da83dc5b
SHA256 3446ad49d514cc5847556076ec821602a48353fd794647b0df6092a2e5db0e8c
SHA512 f7660d97d2f7882b99d931b13c7a0b5ef74350dffffbdcdad01259e19cbd5fa3d6597c6d96b0fa937a07e6b88f6e977f2e3f1fd1c50dfa22c32151061d773071

C:\Users\Admin\AppData\Local\Temp\70BE.dll

MD5 43aa7572e12c1a6abc3693dc21263f3c
SHA1 03407624fb118ad0ee214a597e034e96da83dc5b
SHA256 3446ad49d514cc5847556076ec821602a48353fd794647b0df6092a2e5db0e8c
SHA512 f7660d97d2f7882b99d931b13c7a0b5ef74350dffffbdcdad01259e19cbd5fa3d6597c6d96b0fa937a07e6b88f6e977f2e3f1fd1c50dfa22c32151061d773071

memory/736-172-0x0000000000400000-0x0000000002B7E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\86B8.exe

MD5 8cd2e049bdbb6954e7ddaed3eb63dc79
SHA1 f0715504d291f42753ccb8cb340524369da00d49
SHA256 f513aa13542f7444fffa8d5a826633fee3a90ff90e9d6fdc7c67211ab1d51205
SHA512 45539036718e6d90581d5e007f45e4e283d0a570c60b33c18194c3e1467dfe586a89da62f358ef959ab695bc0e45e77c57f88deb1433a4763ee640fb8d1e501b

memory/936-173-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\86B8.exe

MD5 8cd2e049bdbb6954e7ddaed3eb63dc79
SHA1 f0715504d291f42753ccb8cb340524369da00d49
SHA256 f513aa13542f7444fffa8d5a826633fee3a90ff90e9d6fdc7c67211ab1d51205
SHA512 45539036718e6d90581d5e007f45e4e283d0a570c60b33c18194c3e1467dfe586a89da62f358ef959ab695bc0e45e77c57f88deb1433a4763ee640fb8d1e501b

memory/4316-176-0x00000000026D0000-0x00000000027EC000-memory.dmp

memory/4316-177-0x0000000002910000-0x0000000002A2C000-memory.dmp

memory/46556-178-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\903F.exe

MD5 5a5818de3886c0ffaa7071e70d003eb6
SHA1 c4e62f5c1b674a80fdd48b6fe37e3e59607a7f2e
SHA256 4fac63cb799cc9da04b4332602ad9b4538dd2429ffcf2f8065ec598b2c6aa6a2
SHA512 07ba01218477f3cacd9846b16d9dc742b0e8b4afdca43aba3696b742063316d7fe0c15504c8ebbee20f3f4b42532960698308b45e5d2b55fcc536af28522b8ca

C:\Users\Admin\AppData\Local\Temp\903F.exe

MD5 5a5818de3886c0ffaa7071e70d003eb6
SHA1 c4e62f5c1b674a80fdd48b6fe37e3e59607a7f2e
SHA256 4fac63cb799cc9da04b4332602ad9b4538dd2429ffcf2f8065ec598b2c6aa6a2
SHA512 07ba01218477f3cacd9846b16d9dc742b0e8b4afdca43aba3696b742063316d7fe0c15504c8ebbee20f3f4b42532960698308b45e5d2b55fcc536af28522b8ca

memory/4316-181-0x0000000002A30000-0x0000000002AEE000-memory.dmp

memory/46556-182-0x0000000140000000-0x0000000140608000-memory.dmp

memory/4316-186-0x0000000002AF0000-0x0000000002B99000-memory.dmp

memory/4316-189-0x0000000002910000-0x0000000002A2C000-memory.dmp

memory/46832-190-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\9987.exe

MD5 9e9e7ad2a575a1ee322b618cb9cfdf05
SHA1 42dba5e712f382a684deb20ededef154c74b24bc
SHA256 1a90eaf03ec44e61a6ee97be6b8757cc12b9d0a5c2904fa3652d651a92bbd6f1
SHA512 0c48cc0988b1153d5442a0409911be9dbee1db5b2ea1d3f12847b12a4e70eb9416600ee079eac58d0c3ac628d388c6037574278f69d0e8e69f7c9f24a127bc5e

C:\Users\Admin\AppData\Local\Temp\9987.exe

MD5 9e9e7ad2a575a1ee322b618cb9cfdf05
SHA1 42dba5e712f382a684deb20ededef154c74b24bc
SHA256 1a90eaf03ec44e61a6ee97be6b8757cc12b9d0a5c2904fa3652d651a92bbd6f1
SHA512 0c48cc0988b1153d5442a0409911be9dbee1db5b2ea1d3f12847b12a4e70eb9416600ee079eac58d0c3ac628d388c6037574278f69d0e8e69f7c9f24a127bc5e

memory/59216-195-0x0000000000810000-0x0000000000870000-memory.dmp

memory/59216-194-0x0000000000000000-mapping.dmp

memory/46832-200-0x0000000000400000-0x000000000058E000-memory.dmp

memory/46688-201-0x0000000000000000-mapping.dmp

memory/59292-202-0x0000000000000000-mapping.dmp

memory/59476-203-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\AD00.exe

MD5 2f60ef19334491b0800f818fe87c42f9
SHA1 a54541d84ffdd10c71053a4da5d2635129c1a5fa
SHA256 2b29136f3622d331c86855ab5298b22a996d7f894bd45c4d4a61a9460dfe2095
SHA512 97459e126e789b9425e8c6ea4afbc1f61732f98bad1539af6455e7154c72affd2b5ee2a6ad258a0da0fd19fd6b332c797be06aa2a757c0df90eed4f4426d5fe4

C:\Users\Admin\AppData\Local\Temp\AD00.exe

MD5 2f60ef19334491b0800f818fe87c42f9
SHA1 a54541d84ffdd10c71053a4da5d2635129c1a5fa
SHA256 2b29136f3622d331c86855ab5298b22a996d7f894bd45c4d4a61a9460dfe2095
SHA512 97459e126e789b9425e8c6ea4afbc1f61732f98bad1539af6455e7154c72affd2b5ee2a6ad258a0da0fd19fd6b332c797be06aa2a757c0df90eed4f4426d5fe4

C:\Users\Admin\AppData\Local\Temp\AD00.exe

MD5 2f60ef19334491b0800f818fe87c42f9
SHA1 a54541d84ffdd10c71053a4da5d2635129c1a5fa
SHA256 2b29136f3622d331c86855ab5298b22a996d7f894bd45c4d4a61a9460dfe2095
SHA512 97459e126e789b9425e8c6ea4afbc1f61732f98bad1539af6455e7154c72affd2b5ee2a6ad258a0da0fd19fd6b332c797be06aa2a757c0df90eed4f4426d5fe4

memory/59560-206-0x0000000000000000-mapping.dmp

memory/59692-209-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\db.dll

MD5 4d11bd6f3172584b3fda0e9efcaf0ddb
SHA1 0581c7f087f6538a1b6d4f05d928c1df24236944
SHA256 73314490c80e5eb09f586e12c1f035c44f11aeaa41d2f4b08aca476132578930
SHA512 6a023496e7ee03c2ff8e3ba445c7d7d5bfe6a1e1e1bae5c17dcf41e78ede84a166966579bf8cc7be7450d2516f869713907775e863670b10eb60c092492d2d04

C:\Users\Admin\AppData\Local\Temp\db.dll

MD5 4d11bd6f3172584b3fda0e9efcaf0ddb
SHA1 0581c7f087f6538a1b6d4f05d928c1df24236944
SHA256 73314490c80e5eb09f586e12c1f035c44f11aeaa41d2f4b08aca476132578930
SHA512 6a023496e7ee03c2ff8e3ba445c7d7d5bfe6a1e1e1bae5c17dcf41e78ede84a166966579bf8cc7be7450d2516f869713907775e863670b10eb60c092492d2d04

C:\Users\Admin\AppData\Local\Temp\db.dat

MD5 2a03e19d5af7606e8e9a5c86a5a78880
SHA1 93945d1e473713d83316aaa9a297a417fb302db7
SHA256 15dea69e1ef7f927cdf56b7b6a31189b825b0cef06eeca4811006e7bf9d02c9a
SHA512 f263945af96cb0040d521832038862bfa05f4c9efd0eda0ae511dc1ab0ced179e0e64a3054de42bdc159db2520ff45f2b56ac08a7ac59bd01b74bbdf4b013f93

memory/46832-212-0x0000000000400000-0x000000000058E000-memory.dmp

\??\pipe\crashpad_59736_IHJKZCWPBHCPUKNE

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

MD5 87c6f7a12400e4d26086b4edcde0cf38
SHA1 55b84af207dbf774694363edd28d64e2012c1018
SHA256 e91547635729afce24b069a3c00a1868f62d01e3127e6b45adeef9fb0e7d5283
SHA512 dfc26d6a0ca2ad2d6c035a8dcef4949039196a94702f519b6fd46315b34bf836d1f1db11d68aa6298cee814ad7c8fb6e606592cbec8731a6eb8e480ee5b25418

C:\Program Files\aieoplapobidheellikiicjfpamacpfd\manifest.json

MD5 6da6b303170ccfdca9d9e75abbfb59f3
SHA1 1a8070080f50a303f73eba253ba49c1e6d400df6
SHA256 66f5620e3bfe4692b14f62baad60e3269327327565ff8b2438e98ce8ed021333
SHA512 872957b63e8a0d10791877e5d204022c08c8e8101807d7ebe6fd537d812ad09e14d8555ccf53dc00525a22c02773aa45b8fa643c05247fb0ce6012382855a89a

C:\Program Files\aieoplapobidheellikiicjfpamacpfd\icon.png

MD5 c8d8c174df68910527edabe6b5278f06
SHA1 8ac53b3605fea693b59027b9b471202d150f266f
SHA256 9434dd7008059a60d6d5ced8c8a63ab5cae407e7152da98ca4dda408510f08f5
SHA512 d439e5124399d1901934319535b7156c0ca8d76b5aa4ddf1dd0b598d43582f6d23c16f96be74d3cd5fe764396da55ca51811d08695f356f12f7a8a71bcc7e45c

C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\content.js

MD5 f79618c53614380c5fdc545699afe890
SHA1 7804a4621cd9405b6def471f3ebedb07fb17e90a
SHA256 f3f30c5c271f80b0a3a329b11d8e72eb404d0c0dc9c66fa162ca97ccaa1e963c
SHA512 c4e0c4df6ac92351591859a7c4358b3dcd342e00051bf561e68e3fcc2c94fdd8d14bd0a042d88dca33f6c7e952938786378d804f56e84b4eab99e2a5fee96a4c

C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\jquery-3.3.1.min.js

MD5 a09e13ee94d51c524b7e2a728c7d4039
SHA1 0dc32db4aa9c5f03f3b38c47d883dbd4fed13aae
SHA256 160a426ff2894252cd7cebbdd6d6b7da8fcd319c65b70468f10b6690c45d02ef
SHA512 f8da8f95b6ed33542a88af19028e18ae3d9ce25350a06bfc3fbf433ed2b38fefa5e639cddfdac703fc6caa7f3313d974b92a3168276b3a016ceb28f27db0714a

C:\Program Files\aieoplapobidheellikiicjfpamacpfd\background.html

MD5 9ffe618d587a0685d80e9f8bb7d89d39
SHA1 8e9cae42c911027aafae56f9b1a16eb8dd7a739c
SHA256 a1064146f622fe68b94cd65a0e8f273b583449fbacfd6fd75fec1eaaf2ec8d6e
SHA512 a4e1f53d1e3bf0ff6893f188a510c6b3da37b99b52ddd560d4c90226cb14de6c9e311ee0a93192b1a26db2d76382eb2350dc30ab9db7cbd9ca0a80a507ea1a12

C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\pad-nopadding.js

MD5 0f26002ee3b4b4440e5949a969ea7503
SHA1 31fc518828fe4894e8077ec5686dce7b1ed281d7
SHA256 282308ebc3702c44129438f8299839ca4d392a0a09fdf0737f08ef1e4aff937d
SHA512 4290a1aee5601fcbf1eb2beec9b4924c30cd218e94ae099b87ba72c9a4fa077e39d218fc723b8465d259028a6961cc07c0cd6896aa2f67e83f833ca023a80b11

C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\mode-ecb.js

MD5 23231681d1c6f85fa32e725d6d63b19b
SHA1 f69315530b49ac743b0e012652a3a5efaed94f17
SHA256 03164b1ac43853fecdbf988ce900016fb174cf65b03e41c0a9a7bf3a95e8c26a
SHA512 36860113871707a08401f29ab2828545932e57a4ae99e727d8ca2a9f85518d3db3a4e5e4d46ac2b6ba09494fa9727c033d77c36c4bdc376ae048541222724bc2

C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\aes.js

MD5 4ff108e4584780dce15d610c142c3e62
SHA1 77e4519962e2f6a9fc93342137dbb31c33b76b04
SHA256 fc7e184beeda61bf6427938a84560f52348976bb55e807b224eb53930e97ef6a
SHA512 d6eee0fc02205a3422c16ad120cad8d871563d8fcd4bde924654eac5a37026726328f9a47240cf89ed6c9e93ba5f89c833e84e65eee7db2b4d7d1b4240deaef2

C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\background.js

MD5 3a293a98c3f7838965396f9e8d687d91
SHA1 f53665732d3c38f8d8f5c0ccad7f1a7e3d6eb186
SHA256 27b5cce20840ee8af2b55e8c3cc3e34017b28282b3577acbbeef3625e88c824b
SHA512 b63fdccf837a8007d27bcec760239cefdbe1974c77343bb583b490e11fc3123e94e4e453a164696455b7b76bce9806d146550f47aa6b719631bd23556b9de138

memory/4548-224-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\DAE7.exe

MD5 f99d573625e45fc9d02bd27d30aa5839
SHA1 e12a9683a34b4e3d06d4f6d07851fa606a2a4556
SHA256 14d138ed08a4f1c0850a93312cec9258bc5a0e8942b57a582e47c258b91cfac6
SHA512 84b39b79549cf9d8b9e23c6c68f39f4a2453cd9322edf29c07534e3ae30a4524df937564a9c51c08f249be691aa97dca3a03e6f3677d6a3256d5e89b9293924d

C:\Users\Admin\AppData\Local\Temp\DAE7.exe

MD5 f99d573625e45fc9d02bd27d30aa5839
SHA1 e12a9683a34b4e3d06d4f6d07851fa606a2a4556
SHA256 14d138ed08a4f1c0850a93312cec9258bc5a0e8942b57a582e47c258b91cfac6
SHA512 84b39b79549cf9d8b9e23c6c68f39f4a2453cd9322edf29c07534e3ae30a4524df937564a9c51c08f249be691aa97dca3a03e6f3677d6a3256d5e89b9293924d

memory/4216-227-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\DFAB.exe

MD5 2f60ef19334491b0800f818fe87c42f9
SHA1 a54541d84ffdd10c71053a4da5d2635129c1a5fa
SHA256 2b29136f3622d331c86855ab5298b22a996d7f894bd45c4d4a61a9460dfe2095
SHA512 97459e126e789b9425e8c6ea4afbc1f61732f98bad1539af6455e7154c72affd2b5ee2a6ad258a0da0fd19fd6b332c797be06aa2a757c0df90eed4f4426d5fe4

C:\Users\Admin\AppData\Local\Temp\DFAB.exe

MD5 2f60ef19334491b0800f818fe87c42f9
SHA1 a54541d84ffdd10c71053a4da5d2635129c1a5fa
SHA256 2b29136f3622d331c86855ab5298b22a996d7f894bd45c4d4a61a9460dfe2095
SHA512 97459e126e789b9425e8c6ea4afbc1f61732f98bad1539af6455e7154c72affd2b5ee2a6ad258a0da0fd19fd6b332c797be06aa2a757c0df90eed4f4426d5fe4

C:\Users\Admin\AppData\Local\Temp\DFAB.exe

MD5 2f60ef19334491b0800f818fe87c42f9
SHA1 a54541d84ffdd10c71053a4da5d2635129c1a5fa
SHA256 2b29136f3622d331c86855ab5298b22a996d7f894bd45c4d4a61a9460dfe2095
SHA512 97459e126e789b9425e8c6ea4afbc1f61732f98bad1539af6455e7154c72affd2b5ee2a6ad258a0da0fd19fd6b332c797be06aa2a757c0df90eed4f4426d5fe4

memory/760-230-0x0000000000000000-mapping.dmp

memory/4548-232-0x0000000004B9B000-0x0000000004F84000-memory.dmp

memory/4548-233-0x0000000005090000-0x0000000005906000-memory.dmp

memory/4548-234-0x0000000000400000-0x0000000002F57000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E8A5.exe

MD5 9e9e7ad2a575a1ee322b618cb9cfdf05
SHA1 42dba5e712f382a684deb20ededef154c74b24bc
SHA256 1a90eaf03ec44e61a6ee97be6b8757cc12b9d0a5c2904fa3652d651a92bbd6f1
SHA512 0c48cc0988b1153d5442a0409911be9dbee1db5b2ea1d3f12847b12a4e70eb9416600ee079eac58d0c3ac628d388c6037574278f69d0e8e69f7c9f24a127bc5e

C:\Users\Admin\AppData\Local\Temp\E8A5.exe

MD5 9e9e7ad2a575a1ee322b618cb9cfdf05
SHA1 42dba5e712f382a684deb20ededef154c74b24bc
SHA256 1a90eaf03ec44e61a6ee97be6b8757cc12b9d0a5c2904fa3652d651a92bbd6f1
SHA512 0c48cc0988b1153d5442a0409911be9dbee1db5b2ea1d3f12847b12a4e70eb9416600ee079eac58d0c3ac628d388c6037574278f69d0e8e69f7c9f24a127bc5e

memory/1524-235-0x0000000000000000-mapping.dmp

memory/1524-240-0x0000000000400000-0x000000000058E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\db.dll

MD5 4d11bd6f3172584b3fda0e9efcaf0ddb
SHA1 0581c7f087f6538a1b6d4f05d928c1df24236944
SHA256 73314490c80e5eb09f586e12c1f035c44f11aeaa41d2f4b08aca476132578930
SHA512 6a023496e7ee03c2ff8e3ba445c7d7d5bfe6a1e1e1bae5c17dcf41e78ede84a166966579bf8cc7be7450d2516f869713907775e863670b10eb60c092492d2d04

memory/2008-239-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\db.dll

MD5 4d11bd6f3172584b3fda0e9efcaf0ddb
SHA1 0581c7f087f6538a1b6d4f05d928c1df24236944
SHA256 73314490c80e5eb09f586e12c1f035c44f11aeaa41d2f4b08aca476132578930
SHA512 6a023496e7ee03c2ff8e3ba445c7d7d5bfe6a1e1e1bae5c17dcf41e78ede84a166966579bf8cc7be7450d2516f869713907775e863670b10eb60c092492d2d04

C:\Users\Admin\AppData\Local\Temp\db.dat

MD5 2a03e19d5af7606e8e9a5c86a5a78880
SHA1 93945d1e473713d83316aaa9a297a417fb302db7
SHA256 15dea69e1ef7f927cdf56b7b6a31189b825b0cef06eeca4811006e7bf9d02c9a
SHA512 f263945af96cb0040d521832038862bfa05f4c9efd0eda0ae511dc1ab0ced179e0e64a3054de42bdc159db2520ff45f2b56ac08a7ac59bd01b74bbdf4b013f93

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_BE25D0FE540174A4A87E2295C663329D

MD5 5a87acec8d6f410e56daa22f24221ef0
SHA1 e2ca8371bd15fb3271ba0a38f6b75df08cbe4087
SHA256 f81f9a5b8b47bb6d5fbfd9fc508d91a297d71b73467f6ed31239d7d8ce0c8ff1
SHA512 c925e76d3bc7682ddb6fadb71ec69462dfcd63f6cedc9ba7c2b547bce3da0545a68c03fec50d5155f94964ed0f7ac3e906ba2dfe146057582fbe7a8dd6bd446e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9DD071679C018B2129B579E1C864DC6B

MD5 589e42bf0b9c372001898e750d3bffa2
SHA1 f34618c34ceb84e546d0c12117055e8424a121f7
SHA256 239cdf121564bf648d3e34b258dcb89039b90abc9f3d95221f8e4dcaa250fb51
SHA512 9a793f6f275f4915b90586b7dcbecb88eac32733a3ddba68382c7ae6b5deead8e7f952d4a049e39ea2ea07d98abb3eb1edf93a2f7f9716762e73acca7dba3979

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9DD071679C018B2129B579E1C864DC6B

MD5 c2ec6c1b9c2c4ce004dceb4c6e10d183
SHA1 2939037316338d1617a4e9f6b8cc12c102c9b23b
SHA256 3a78df3c6e6aed7c951fff295b824552b6ead60cb394819faefd40a9e6f51198
SHA512 76376ce707c571ee44eebc47348d438485a541486f73f42515c84863888185098f42dbc59ce8bab69da189b7ad9863fb391526a50ff2ec6a8a16fae572127434

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_BE25D0FE540174A4A87E2295C663329D

MD5 f6a220ac239566cacfdf6885eacb7f78
SHA1 fa7a17f683128759f2f2d96ef52802951bb6afd7
SHA256 f3f4f59d094820ede08ce09237a66e73f1ac726fe94037e397a16a0366bfce81
SHA512 f990e940f622cabcf51dbc1b63aaf7fd99ccd8bf5f5dbc490c0410ff42b443790d5a918cdc5c6bee4e3d97b25fc446865cd093cc3fe64e97735c0ab14ddeeee2

memory/388-247-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\DAE7.exe

MD5 f99d573625e45fc9d02bd27d30aa5839
SHA1 e12a9683a34b4e3d06d4f6d07851fa606a2a4556
SHA256 14d138ed08a4f1c0850a93312cec9258bc5a0e8942b57a582e47c258b91cfac6
SHA512 84b39b79549cf9d8b9e23c6c68f39f4a2453cd9322edf29c07534e3ae30a4524df937564a9c51c08f249be691aa97dca3a03e6f3677d6a3256d5e89b9293924d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

MD5 ec8ff3b1ded0246437b1472c69dd1811
SHA1 d813e874c2524e3a7da6c466c67854ad16800326
SHA256 e634c2d1ed20e0638c95597adf4c9d392ebab932d3353f18af1e4421f4bb9cab
SHA512 e967b804cbf2d6da30a532cbc62557d09bd236807790040c6bee5584a482dc09d724fc1d9ac0de6aa5b4e8b1fff72c8ab3206222cc2c95a91035754ac1257552

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

MD5 d2a5e9c177aa521e9767c0d8c7e491b6
SHA1 a774a7daa11ee26228cabbe099c8b584893e9c79
SHA256 73da6ccf617b979c704a530b4cba6cc4b3200c38efa786c92b049e342d869d33
SHA512 8f7dcdaa68a1f1d1649eef835f8ec557c5b81f24a6dda8c0bebeb07625dfc57f21b3ccca345d0702c5c9256ed1062f79226e64617d62b3ccc941f49a62055c60

memory/3440-251-0x0000000000000000-mapping.dmp

memory/1152-252-0x0000000000000000-mapping.dmp

memory/388-253-0x0000000004A36000-0x0000000004E1F000-memory.dmp

memory/388-254-0x0000000000400000-0x0000000002F57000-memory.dmp

memory/2884-255-0x0000000000000000-mapping.dmp

memory/4880-256-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

MD5 1559a7f334a2ce6df79a10950c547903
SHA1 7ae1000039cfa1b7ff19535e260373ad1b913295
SHA256 fcf9fb4b70ba1a18829fd4673016a76b20e2c346a5c263650ac33c02b74f3f01
SHA512 04a8361758978b14f61a00eabf01b9db92c2f838abb031b0591741057f2b286c4a8c0936a71daa7a06882b007b373b2788f839c44723c677ecc2b05a78283ea0

memory/4636-259-0x0000000000000000-mapping.dmp

memory/1732-258-0x0000000000000000-mapping.dmp

memory/388-260-0x0000000000400000-0x0000000002F57000-memory.dmp

memory/2240-261-0x0000000000000000-mapping.dmp

memory/4612-262-0x0000000000000000-mapping.dmp

memory/2240-263-0x0000000140000000-0x0000000140608000-memory.dmp

memory/1524-267-0x0000000000400000-0x000000000058E000-memory.dmp

memory/5624-268-0x0000000000000000-mapping.dmp

memory/4548-270-0x0000000000400000-0x0000000002F57000-memory.dmp

memory/5736-269-0x0000000000000000-mapping.dmp

memory/5756-271-0x0000000000000000-mapping.dmp

memory/5796-272-0x0000000000000000-mapping.dmp

memory/5796-273-0x0000000000400000-0x0000000000428000-memory.dmp

memory/4636-274-0x0000000005000000-0x00000000053E9000-memory.dmp

memory/4636-279-0x0000000000400000-0x0000000002F57000-memory.dmp

memory/5996-280-0x0000000000000000-mapping.dmp

memory/5996-281-0x0000000000400000-0x0000000000420000-memory.dmp

memory/6076-286-0x0000000000000000-mapping.dmp

memory/6104-287-0x0000000000000000-mapping.dmp

memory/6104-288-0x0000000000400000-0x0000000000537000-memory.dmp

memory/5736-291-0x00000000046F9000-0x000000000478B000-memory.dmp

memory/5756-294-0x0000000002C50000-0x0000000002C60000-memory.dmp

memory/6172-295-0x0000000000000000-mapping.dmp

memory/6104-293-0x0000000000400000-0x0000000000537000-memory.dmp

memory/5756-292-0x0000000002C79000-0x0000000002C8A000-memory.dmp

memory/5736-290-0x00000000048D0000-0x00000000049EB000-memory.dmp

memory/6104-289-0x0000000000400000-0x0000000000537000-memory.dmp

memory/6264-296-0x0000000000000000-mapping.dmp

memory/6416-298-0x0000000000000000-mapping.dmp

memory/6384-297-0x0000000000000000-mapping.dmp

memory/5756-299-0x0000000000400000-0x0000000002B7F000-memory.dmp

memory/6624-300-0x0000000000000000-mapping.dmp

memory/6636-301-0x0000000000000000-mapping.dmp

memory/6172-303-0x0000000000900000-0x0000000000974000-memory.dmp

memory/6688-305-0x0000000000000000-mapping.dmp

memory/6636-306-0x0000000000110000-0x000000000011C000-memory.dmp

memory/6172-304-0x0000000000890000-0x00000000008FB000-memory.dmp

memory/6104-302-0x0000000000400000-0x0000000000537000-memory.dmp

memory/5996-307-0x0000000005800000-0x0000000005876000-memory.dmp

memory/6764-308-0x0000000000000000-mapping.dmp

memory/6104-309-0x0000000000400000-0x0000000000537000-memory.dmp

memory/5996-310-0x0000000007370000-0x000000000738E000-memory.dmp

memory/7160-311-0x0000000000000000-mapping.dmp

memory/7160-313-0x0000000000400000-0x0000000000537000-memory.dmp

memory/6764-314-0x0000000002D8A000-0x0000000002E1C000-memory.dmp

memory/7160-315-0x0000000000400000-0x0000000000537000-memory.dmp

memory/7160-317-0x0000000000400000-0x0000000000537000-memory.dmp

memory/5796-318-0x0000000006980000-0x00000000069D0000-memory.dmp

memory/7392-319-0x0000000000000000-mapping.dmp

memory/4636-320-0x0000000000400000-0x0000000002F57000-memory.dmp

memory/7432-321-0x0000000000000000-mapping.dmp

memory/5756-322-0x0000000000400000-0x0000000002B7F000-memory.dmp

memory/5756-323-0x0000000002C79000-0x0000000002C8A000-memory.dmp

memory/7504-324-0x0000000074FA0000-0x0000000075061000-memory.dmp

memory/7504-325-0x0000000074EA0000-0x0000000074ECA000-memory.dmp

memory/7504-327-0x0000000000DE0000-0x000000000122C000-memory.dmp

memory/7504-328-0x0000000074AC0000-0x0000000074DC1000-memory.dmp

memory/7548-329-0x0000000000000000-mapping.dmp

memory/7504-330-0x0000000074DD0000-0x0000000074E92000-memory.dmp

memory/7504-331-0x0000000074EA0000-0x0000000074ECA000-memory.dmp

memory/7504-326-0x0000000074FA0000-0x0000000075061000-memory.dmp

memory/7620-332-0x0000000000000000-mapping.dmp

memory/7636-333-0x0000000000000000-mapping.dmp

memory/7684-337-0x0000000000000000-mapping.dmp

memory/7748-340-0x0000000000000000-mapping.dmp

memory/7816-341-0x0000000000000000-mapping.dmp

memory/7860-346-0x0000000000000000-mapping.dmp

memory/7900-351-0x0000000000000000-mapping.dmp

memory/7900-352-0x0000000000400000-0x000000000045D000-memory.dmp

memory/7900-354-0x0000000000400000-0x000000000045D000-memory.dmp

memory/7900-353-0x0000000000400000-0x000000000045D000-memory.dmp

memory/7992-357-0x0000000000000000-mapping.dmp

memory/8032-361-0x0000000000000000-mapping.dmp

memory/8084-364-0x0000000000000000-mapping.dmp

memory/8132-367-0x0000000000000000-mapping.dmp

memory/8184-369-0x0000000000000000-mapping.dmp

memory/8224-370-0x0000000000000000-mapping.dmp

memory/8248-371-0x0000000000000000-mapping.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2022-09-09 12:12

Reported

2022-09-09 12:14

Platform

win7-20220812-en

Max time kernel

150s

Max time network

45s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Signatures

Detects Smokeloader packer

Description Indicator Process Target
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Network

N/A

Files

memory/1960-54-0x00000000751A1000-0x00000000751A3000-memory.dmp

memory/1960-56-0x0000000000220000-0x0000000000229000-memory.dmp

memory/1960-55-0x0000000002CAE000-0x0000000002CBE000-memory.dmp

memory/1960-57-0x0000000000400000-0x0000000002B7E000-memory.dmp

memory/1960-58-0x0000000000400000-0x0000000002B7E000-memory.dmp