Malware Analysis Report

2025-06-16 01:50

Sample ID 220909-yylvzshac6
Target 31e7391507f0770622741989b7b3a00a.exe
SHA256 8cb86bbcb25685ceebc56873baf12f6fd9f876c2d196a3e973aa7449108c63d7
Tags
dcrat djvu glupteba netsupport raccoon redline smokeloader socelars 1337 567d5bff28c2a18132d2f88511f07435 mario_new nam5 backdoor discovery dropper evasion infostealer loader persistence ransomware rat spyware stealer trojan upx vmprotect
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8cb86bbcb25685ceebc56873baf12f6fd9f876c2d196a3e973aa7449108c63d7

Threat Level: Known bad

The file 31e7391507f0770622741989b7b3a00a.exe was found to be: Known bad.

Malicious Activity Summary

dcrat djvu glupteba netsupport raccoon redline smokeloader socelars 1337 567d5bff28c2a18132d2f88511f07435 mario_new nam5 backdoor discovery dropper evasion infostealer loader persistence ransomware rat spyware stealer trojan upx vmprotect

DcRat

Glupteba

Process spawned unexpected child process

NetSupport

Socelars payload

RedLine payload

RedLine

Socelars

Djvu Ransomware

Raccoon

Suspicious use of NtCreateUserProcessOtherParentProcess

SmokeLoader

Detected Djvu ransomware

Detects Smokeloader packer

Modifies Windows Firewall

UPX packed file

Modifies extensions of user files

Downloads MZ/PE file

VMProtect packed file

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Drops startup file

Checks computer location settings

Modifies file permissions

Looks up external IP address via web service

Checks installed software on the system

Legitimate hosting services abused for malware hosting/C2

Adds Run key to start application

Accesses 2FA software files, possible credential harvesting

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of SetThreadContext

Launches sc.exe

Drops file in Windows directory

Drops file in Program Files directory

Program crash

Enumerates physical storage devices

Creates scheduled task(s)

Enumerates system info in registry

Kills process with taskkill

Suspicious behavior: AddClipboardFormatListener

Modifies registry class

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of SendNotifyMessage

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Modifies data under HKEY_USERS

Script User-Agent

Suspicious use of SetWindowsHookEx

Checks SCSI registry key(s)

Checks processor information in registry

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

Delays execution with timeout.exe

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-09-09 20:11

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-09-09 20:11

Reported

2022-09-09 20:41

Platform

win10v2004-20220812-en

Max time kernel

1800s

Max time network

1776s

Command Line

"C:\Users\Admin\AppData\Local\Temp\31e7391507f0770622741989b7b3a00a.exe"

Signatures

DcRat

rat infostealer dcrat
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\31e7391507f0770622741989b7b3a00a.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\F66D.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\77e00c90-fa40-47f5-8f2d-033a4d006b21\\ED40.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\ED40.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects Smokeloader packer

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Glupteba

loader dropper glupteba

NetSupport

rat netsupport

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\rundll32.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\rundll32.exe

Raccoon

stealer raccoon

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Socelars

stealer socelars

Socelars payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Downloads MZ/PE file

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\736B.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ED40.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ED40.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ED40.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ED40.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3431e54-b722-41b1-8785-7de30dbab01d\build2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\14CE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3431e54-b722-41b1-8785-7de30dbab01d\build2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2B36.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5573.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\75AE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9BC5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\A089.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\A2BC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\A667.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AA8E.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B3E6.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\windows_update_253746\client32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\C387.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\C387.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\30B9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\30B9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\60C3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\C1DF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\F66D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\F66D.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\tor.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\ivdreur N/A
N/A N/A C:\Users\Admin\AppData\Roaming\ctdreur N/A
N/A N/A C:\Users\Admin\AppData\Local\77e00c90-fa40-47f5-8f2d-033a4d006b21\ED40.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\77e00c90-fa40-47f5-8f2d-033a4d006b21\ED40.exe N/A
N/A N/A C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir12928_733837519\ChromeRecovery.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\ivdreur N/A
N/A N/A C:\Users\Admin\AppData\Roaming\ctdreur N/A
N/A N/A C:\Users\Admin\AppData\Local\77e00c90-fa40-47f5-8f2d-033a4d006b21\ED40.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\77e00c90-fa40-47f5-8f2d-033a4d006b21\ED40.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\77e00c90-fa40-47f5-8f2d-033a4d006b21\ED40.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\77e00c90-fa40-47f5-8f2d-033a4d006b21\ED40.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\ivdreur N/A
N/A N/A C:\Users\Admin\AppData\Roaming\ctdreur N/A
N/A N/A C:\Users\Admin\AppData\Local\77e00c90-fa40-47f5-8f2d-033a4d006b21\ED40.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\77e00c90-fa40-47f5-8f2d-033a4d006b21\ED40.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Modifies extensions of user files

ransomware
Description Indicator Process Target
File renamed C:\Users\Admin\Pictures\CheckpointUnlock.png => C:\Users\Admin\Pictures\CheckpointUnlock.png.mmdt C:\Users\Admin\AppData\Local\Temp\ED40.exe N/A
File renamed C:\Users\Admin\Pictures\LockSkip.crw => C:\Users\Admin\Pictures\LockSkip.crw.mmdt C:\Users\Admin\AppData\Local\Temp\ED40.exe N/A
File opened for modification C:\Users\Admin\Pictures\StartWatch.tiff C:\Users\Admin\AppData\Local\Temp\ED40.exe N/A
File renamed C:\Users\Admin\Pictures\StartWatch.tiff => C:\Users\Admin\Pictures\StartWatch.tiff.mmdt C:\Users\Admin\AppData\Local\Temp\ED40.exe N/A
File renamed C:\Users\Admin\Pictures\UpdateSplit.crw => C:\Users\Admin\Pictures\UpdateSplit.crw.mmdt C:\Users\Admin\AppData\Local\Temp\ED40.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\c3431e54-b722-41b1-8785-7de30dbab01d\build2.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\B3E6.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\C387.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\30B9.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ED40.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ED40.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\autorunsuport.ini.lnk C:\Users\Admin\AppData\Local\Temp\B3E6.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3431e54-b722-41b1-8785-7de30dbab01d\build2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3431e54-b722-41b1-8785-7de30dbab01d\build2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3431e54-b722-41b1-8785-7de30dbab01d\build2.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\windows_update_253746\client32.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\windows_update_253746\client32.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\windows_update_253746\client32.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\windows_update_253746\client32.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\windows_update_253746\client32.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\windows_update_253746\client32.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AA8E.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AA8E.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AA8E.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\tor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\tor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\tor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\tor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\tor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\tor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\tor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\tor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\tor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\tor.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses 2FA software files, possible credential harvesting

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\77e00c90-fa40-47f5-8f2d-033a4d006b21\\ED40.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\ED40.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\F66D.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4528 set thread context of 4600 N/A C:\Users\Admin\AppData\Local\Temp\ED40.exe C:\Users\Admin\AppData\Local\Temp\ED40.exe
PID 1124 set thread context of 1108 N/A C:\Users\Admin\AppData\Local\Temp\ED40.exe C:\Users\Admin\AppData\Local\Temp\ED40.exe
PID 3320 set thread context of 101460 N/A C:\Users\Admin\AppData\Local\Temp\14CE.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 768 set thread context of 101560 N/A C:\Users\Admin\AppData\Local\c3431e54-b722-41b1-8785-7de30dbab01d\build2.exe C:\Users\Admin\AppData\Local\c3431e54-b722-41b1-8785-7de30dbab01d\build2.exe
PID 102240 set thread context of 101736 N/A C:\Users\Admin\AppData\Local\Temp\A089.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 102360 set thread context of 712 N/A C:\Users\Admin\AppData\Local\Temp\A2BC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 101520 set thread context of 101684 N/A C:\Users\Admin\AppData\Local\Temp\A667.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 11908 set thread context of 11948 N/A C:\Users\Admin\AppData\Local\77e00c90-fa40-47f5-8f2d-033a4d006b21\ED40.exe C:\Users\Admin\AppData\Local\77e00c90-fa40-47f5-8f2d-033a4d006b21\ED40.exe
PID 13344 set thread context of 13364 N/A C:\Users\Admin\AppData\Local\77e00c90-fa40-47f5-8f2d-033a4d006b21\ED40.exe C:\Users\Admin\AppData\Local\77e00c90-fa40-47f5-8f2d-033a4d006b21\ED40.exe
PID 14208 set thread context of 14348 N/A C:\Users\Admin\AppData\Local\77e00c90-fa40-47f5-8f2d-033a4d006b21\ED40.exe C:\Users\Admin\AppData\Local\77e00c90-fa40-47f5-8f2d-033a4d006b21\ED40.exe
PID 15396 set thread context of 15432 N/A C:\Users\Admin\AppData\Local\77e00c90-fa40-47f5-8f2d-033a4d006b21\ED40.exe C:\Users\Admin\AppData\Local\77e00c90-fa40-47f5-8f2d-033a4d006b21\ED40.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\mode-ecb.js C:\Users\Admin\AppData\Local\Temp\9BC5.exe N/A
File created C:\Program Files\aieoplapobidheellikiicjfpamacpfd\manifest.json C:\Users\Admin\AppData\Local\Temp\9BC5.exe N/A
File opened for modification C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\background.js C:\Users\Admin\AppData\Local\Temp\9BC5.exe N/A
File opened for modification C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\aes.js C:\Users\Admin\AppData\Local\Temp\60C3.exe N/A
File opened for modification C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\background.js C:\Users\Admin\AppData\Local\Temp\60C3.exe N/A
File created C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\background.js C:\Users\Admin\AppData\Local\Temp\9BC5.exe N/A
File created C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\pad-nopadding.js C:\Users\Admin\AppData\Local\Temp\9BC5.exe N/A
File opened for modification C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\content.js C:\Users\Admin\AppData\Local\Temp\60C3.exe N/A
File opened for modification C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\jquery-3.3.1.min.js C:\Users\Admin\AppData\Local\Temp\60C3.exe N/A
File opened for modification C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\pad-nopadding.js C:\Users\Admin\AppData\Local\Temp\60C3.exe N/A
File opened for modification C:\Program Files\aieoplapobidheellikiicjfpamacpfd\manifest.json C:\Users\Admin\AppData\Local\Temp\60C3.exe N/A
File opened for modification C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir12928_733837519\ChromeRecovery.exe C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe N/A
File opened for modification C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir12928_733837519\manifest.json C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe N/A
File created C:\Program Files\aieoplapobidheellikiicjfpamacpfd\background.html C:\Users\Admin\AppData\Local\Temp\9BC5.exe N/A
File opened for modification C:\Program Files\aieoplapobidheellikiicjfpamacpfd\background.html C:\Users\Admin\AppData\Local\Temp\60C3.exe N/A
File opened for modification C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\mode-ecb.js C:\Users\Admin\AppData\Local\Temp\60C3.exe N/A
File created C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir12928_733837519\ChromeRecoveryCRX.crx C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe N/A
File created C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\jquery-3.3.1.min.js C:\Users\Admin\AppData\Local\Temp\9BC5.exe N/A
File created C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\aes.js C:\Users\Admin\AppData\Local\Temp\9BC5.exe N/A
File created C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\content.js C:\Users\Admin\AppData\Local\Temp\9BC5.exe N/A
File opened for modification C:\Program Files\aieoplapobidheellikiicjfpamacpfd\icon.png C:\Users\Admin\AppData\Local\Temp\60C3.exe N/A
File created C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir12928_733837519\ChromeRecovery.exe C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe N/A
File created C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir12928_733837519\manifest.json C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe N/A
File created C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir12928_733837519\_metadata\verified_contents.json C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe N/A
File opened for modification C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir12928_733837519\_metadata\verified_contents.json C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe N/A
File created C:\Program Files\aieoplapobidheellikiicjfpamacpfd\icon.png C:\Users\Admin\AppData\Local\Temp\9BC5.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\F66D.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\F66D.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\31e7391507f0770622741989b7b3a00a.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\2B36.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\5573.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\ivdreur N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\ivdreur N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\ivdreur N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\31e7391507f0770622741989b7b3a00a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\taskmgr.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\5573.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\ivdreur N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\ivdreur N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\ivdreur N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\ivdreur N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\2B36.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\2B36.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\5573.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\ivdreur N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\31e7391507f0770622741989b7b3a00a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\system32\taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\ivdreur N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\c3431e54-b722-41b1-8785-7de30dbab01d\build2.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\c3431e54-b722-41b1-8785-7de30dbab01d\build2.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Toolbar N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 N/A N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2872 = "Magallanes Standard Time" C:\Users\Admin\AppData\Local\Temp\F66D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\F66D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time" C:\Users\Admin\AppData\Local\Temp\F66D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2612 = "Bougainville Standard Time" C:\Users\Admin\AppData\Local\Temp\F66D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2451 = "Saint Pierre Daylight Time" C:\Users\Admin\AppData\Local\Temp\F66D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time" C:\Users\Admin\AppData\Local\Temp\F66D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1842 = "Russia TZ 4 Standard Time" C:\Users\Admin\AppData\Local\Temp\F66D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time" C:\Users\Admin\AppData\Local\Temp\F66D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1861 = "Russia TZ 6 Daylight Time" C:\Users\Admin\AppData\Local\Temp\F66D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time" C:\Users\Admin\AppData\Local\Temp\F66D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time" C:\Users\Admin\AppData\Local\Temp\F66D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time" C:\Users\Admin\AppData\Local\Temp\F66D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time" C:\Users\Admin\AppData\Local\Temp\F66D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time" C:\Users\Admin\AppData\Local\Temp\F66D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time" C:\Users\Admin\AppData\Local\Temp\F66D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time" C:\Users\Admin\AppData\Local\Temp\F66D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2391 = "Aleutian Daylight Time" C:\Users\Admin\AppData\Local\Temp\F66D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time" C:\Users\Admin\AppData\Local\Temp\F66D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\F66D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time" C:\Users\Admin\AppData\Local\Temp\F66D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2141 = "Transbaikal Daylight Time" C:\Users\Admin\AppData\Local\Temp\F66D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-151 = "Central America Daylight Time" C:\Users\Admin\AppData\Local\Temp\F66D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1801 = "Line Islands Daylight Time" C:\Users\Admin\AppData\Local\Temp\F66D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1932 = "Russia TZ 11 Standard Time" C:\Users\Admin\AppData\Local\Temp\F66D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time" C:\Users\Admin\AppData\Local\Temp\F66D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time" C:\Users\Admin\AppData\Local\Temp\F66D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time" C:\Users\Admin\AppData\Local\Temp\F66D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time" C:\Users\Admin\AppData\Local\Temp\F66D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2142 = "Transbaikal Standard Time" C:\Users\Admin\AppData\Local\Temp\F66D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-362 = "GTB Standard Time" C:\Users\Admin\AppData\Local\Temp\F66D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1862 = "Russia TZ 6 Standard Time" C:\Users\Admin\AppData\Local\Temp\F66D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time" C:\Users\Admin\AppData\Local\Temp\F66D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2432 = "Cuba Standard Time" C:\Users\Admin\AppData\Local\Temp\F66D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2431 = "Cuba Daylight Time" C:\Users\Admin\AppData\Local\Temp\F66D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time" C:\Users\Admin\AppData\Local\Temp\F66D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\F66D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2772 = "Omsk Standard Time" C:\Users\Admin\AppData\Local\Temp\F66D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time" C:\Users\Admin\AppData\Local\Temp\F66D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1721 = "Libya Daylight Time" C:\Users\Admin\AppData\Local\Temp\F66D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time" C:\Users\Admin\AppData\Local\Temp\F66D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time" C:\Users\Admin\AppData\Local\Temp\F66D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-412 = "E. Africa Standard Time" C:\Users\Admin\AppData\Local\Temp\F66D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-3051 = "Qyzylorda Daylight Time" C:\Users\Admin\AppData\Local\Temp\F66D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time" C:\Users\Admin\AppData\Local\Temp\F66D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1501 = "Turkey Daylight Time" C:\Users\Admin\AppData\Local\Temp\F66D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1971 = "Belarus Daylight Time" C:\Users\Admin\AppData\Local\Temp\F66D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2412 = "Marquesas Standard Time" C:\Users\Admin\AppData\Local\Temp\F66D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\F66D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time" C:\Users\Admin\AppData\Local\Temp\F66D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time" C:\Users\Admin\AppData\Local\Temp\F66D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2632 = "Norfolk Standard Time" C:\Users\Admin\AppData\Local\Temp\F66D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2531 = "Chatham Islands Daylight Time" C:\Users\Admin\AppData\Local\Temp\F66D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time" C:\Users\Admin\AppData\Local\Temp\F66D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time" C:\Users\Admin\AppData\Local\Temp\F66D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2452 = "Saint Pierre Standard Time" C:\Users\Admin\AppData\Local\Temp\F66D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time" C:\Users\Admin\AppData\Local\Temp\F66D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\F66D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time" C:\Users\Admin\AppData\Local\Temp\F66D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time" C:\Users\Admin\AppData\Local\Temp\F66D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2511 = "Lord Howe Daylight Time" C:\Users\Admin\AppData\Local\Temp\F66D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time" C:\Users\Admin\AppData\Local\Temp\F66D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-791 = "SA Western Daylight Time" C:\Users\Admin\AppData\Local\Temp\F66D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2572 = "Turks and Caicos Standard Time" C:\Users\Admin\AppData\Local\Temp\F66D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time" C:\Users\Admin\AppData\Local\Temp\F66D.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\FFlags = "1092616193" N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = ffffffff N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1280x720x96(1).right = "1050" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}" N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WFlags = "0" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1280x720x96(1).left = "250" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616193" N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\NodeSlot = "2" N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Downloads" N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\Rev = "0" N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\MaxPos1280x720x96(1).y = "4294967295" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\HotKey = "0" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\Rev = "0" N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668} N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\Sort = 0000000000000000000000000000000002000000f4eec83032a8e241ab32e3c3ca28fd29030000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1280x720x96(1).top = "50" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1280x720x96(1).bottom = "650" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\ShowCmd = "1" N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259} N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\GroupView = "4294967295" N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 = 3a002e8005398e082303024b98265d99428e115f260001002600efbe11000000761be9f37eaed8014ca4ad338baed8014ca4ad338baed80114000000 N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\KnownFolderDerivedFolderType = "{885A186E-A440-4ADA-812B-DB871B942259}" N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\Mode = "6" N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 00000000ffffffff N/A N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\NodeSlot = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\LogicalViewMode = "2" N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\GroupByKey:PID = "2" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295" N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = ffffffff N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2 N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1" N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\GroupByDirection = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\MaxPos1280x720x96(1).x = "4294967295" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}" N/A N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\FFlags = "1092616209" N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\Vid = "{65F125E5-7BE1-4810-BA9D-D271C8432CE3}" N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202 N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\MinPos1280x720x96(1).x = "4294935296" N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f80cb859f6720028040b29b5540cc05aab60000 N/A N/A

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\31e7391507f0770622741989b7b3a00a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31e7391507f0770622741989b7b3a00a.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\31e7391507f0770622741989b7b3a00a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2B36.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5573.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: 33 N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2576 wrote to memory of 4848 N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2576 wrote to memory of 4848 N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4848 wrote to memory of 3904 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4848 wrote to memory of 3904 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4848 wrote to memory of 1740 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4848 wrote to memory of 1740 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4848 wrote to memory of 1740 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4848 wrote to memory of 1740 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4848 wrote to memory of 1740 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4848 wrote to memory of 1740 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4848 wrote to memory of 1740 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4848 wrote to memory of 1740 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4848 wrote to memory of 1740 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4848 wrote to memory of 1740 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4848 wrote to memory of 1740 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4848 wrote to memory of 1740 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4848 wrote to memory of 1740 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4848 wrote to memory of 1740 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4848 wrote to memory of 1740 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4848 wrote to memory of 1740 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4848 wrote to memory of 1740 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4848 wrote to memory of 1740 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4848 wrote to memory of 1740 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4848 wrote to memory of 1740 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4848 wrote to memory of 1740 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4848 wrote to memory of 1740 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4848 wrote to memory of 1740 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4848 wrote to memory of 1740 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4848 wrote to memory of 1740 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4848 wrote to memory of 1740 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4848 wrote to memory of 1740 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4848 wrote to memory of 1740 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4848 wrote to memory of 1740 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4848 wrote to memory of 1740 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4848 wrote to memory of 1740 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4848 wrote to memory of 1740 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4848 wrote to memory of 1740 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4848 wrote to memory of 1740 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4848 wrote to memory of 1740 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4848 wrote to memory of 1740 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4848 wrote to memory of 1740 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4848 wrote to memory of 1740 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4848 wrote to memory of 1740 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4848 wrote to memory of 1740 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4848 wrote to memory of 1668 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4848 wrote to memory of 1668 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4848 wrote to memory of 1276 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4848 wrote to memory of 1276 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4848 wrote to memory of 1276 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4848 wrote to memory of 1276 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4848 wrote to memory of 1276 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4848 wrote to memory of 1276 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4848 wrote to memory of 1276 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4848 wrote to memory of 1276 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4848 wrote to memory of 1276 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4848 wrote to memory of 1276 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4848 wrote to memory of 1276 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4848 wrote to memory of 1276 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4848 wrote to memory of 1276 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4848 wrote to memory of 1276 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4848 wrote to memory of 1276 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4848 wrote to memory of 1276 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4848 wrote to memory of 1276 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4848 wrote to memory of 1276 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe

Processes

C:\Users\Admin\AppData\Local\Temp\31e7391507f0770622741989b7b3a00a.exe

"C:\Users\Admin\AppData\Local\Temp\31e7391507f0770622741989b7b3a00a.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8580d4f50,0x7ff8580d4f60,0x7ff8580d4f70

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1632,12665759011627795117,16287781817268950271,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1704 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1632,12665759011627795117,16287781817268950271,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2020 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1632,12665759011627795117,16287781817268950271,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2380 /prefetch:8

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,12665759011627795117,16287781817268950271,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2956 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,12665759011627795117,16287781817268950271,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3148 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,12665759011627795117,16287781817268950271,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3864 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1632,12665759011627795117,16287781817268950271,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4528 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1632,12665759011627795117,16287781817268950271,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4676 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1632,12665759011627795117,16287781817268950271,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4792 /prefetch:8

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /4

C:\Users\Admin\AppData\Local\Temp\736B.exe

C:\Users\Admin\AppData\Local\Temp\736B.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\B8F1.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\B8F1.dll

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1348 -ip 1348

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1348 -s 1276

C:\Users\Admin\AppData\Local\Temp\ED40.exe

C:\Users\Admin\AppData\Local\Temp\ED40.exe

C:\Users\Admin\AppData\Local\Temp\ED40.exe

C:\Users\Admin\AppData\Local\Temp\ED40.exe

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\77e00c90-fa40-47f5-8f2d-033a4d006b21" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\ED40.exe

"C:\Users\Admin\AppData\Local\Temp\ED40.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\ED40.exe

"C:\Users\Admin\AppData\Local\Temp\ED40.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\c3431e54-b722-41b1-8785-7de30dbab01d\build2.exe

"C:\Users\Admin\AppData\Local\c3431e54-b722-41b1-8785-7de30dbab01d\build2.exe"

C:\Users\Admin\AppData\Local\Temp\14CE.exe

C:\Users\Admin\AppData\Local\Temp\14CE.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3320 -ip 3320

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3320 -s 97600

C:\Users\Admin\AppData\Local\c3431e54-b722-41b1-8785-7de30dbab01d\build2.exe

"C:\Users\Admin\AppData\Local\c3431e54-b722-41b1-8785-7de30dbab01d\build2.exe"

C:\Users\Admin\AppData\Local\Temp\2B36.exe

C:\Users\Admin\AppData\Local\Temp\2B36.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c taskkill /im build2.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\c3431e54-b722-41b1-8785-7de30dbab01d\build2.exe" & del C:\PrograData\*.dll & exit

C:\Windows\SysWOW64\taskkill.exe

taskkill /im build2.exe /f

C:\Windows\SysWOW64\timeout.exe

timeout /t 6

C:\Users\Admin\AppData\Local\Temp\5573.exe

C:\Users\Admin\AppData\Local\Temp\5573.exe

C:\Users\Admin\AppData\Local\Temp\75AE.exe

C:\Users\Admin\AppData\Local\Temp\75AE.exe

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 444 -p 101948 -ip 101948

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 101948 -s 424

C:\Users\Admin\AppData\Local\Temp\9BC5.exe

C:\Users\Admin\AppData\Local\Temp\9BC5.exe

C:\Users\Admin\AppData\Local\Temp\A089.exe

C:\Users\Admin\AppData\Local\Temp\A089.exe

C:\Users\Admin\AppData\Local\Temp\A2BC.exe

C:\Users\Admin\AppData\Local\Temp\A2BC.exe

C:\Users\Admin\AppData\Local\Temp\A667.exe

C:\Users\Admin\AppData\Local\Temp\A667.exe

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im chrome.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im chrome.exe

C:\Users\Admin\AppData\Local\Temp\AA8E.exe

C:\Users\Admin\AppData\Local\Temp\AA8E.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\B3E6.exe

C:\Users\Admin\AppData\Local\Temp\B3E6.exe

C:\Users\Admin\AppData\Roaming\windows_update_253746\client32.exe

"C:\Users\Admin\AppData\Roaming\windows_update_253746\client32.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8580d4f50,0x7ff8580d4f60,0x7ff8580d4f70

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Users\Admin\AppData\Local\Temp\C387.exe

C:\Users\Admin\AppData\Local\Temp\C387.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1640,1080823904366895809,4323297674129791997,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1652 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1640,1080823904366895809,4323297674129791997,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2016 /prefetch:8

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1640,1080823904366895809,4323297674129791997,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2284 /prefetch:8

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c taskkill /im AppLaunch.exe /f & timeout /t 6 & del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe" & del C:\PrograData\*.dll & exit

C:\Users\Admin\AppData\Local\Temp\C387.exe

"C:\Users\Admin\AppData\Local\Temp\C387.exe" -h

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 101684 -ip 101684

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,1080823904366895809,4323297674129791997,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2988 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,1080823904366895809,4323297674129791997,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3124 /prefetch:1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 101684 -s 1932

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,1080823904366895809,4323297674129791997,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3640 /prefetch:1

C:\Windows\SysWOW64\taskkill.exe

taskkill /im AppLaunch.exe /f

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,1080823904366895809,4323297674129791997,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4080 /prefetch:1

C:\Windows\SysWOW64\timeout.exe

timeout /t 6

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1640,1080823904366895809,4323297674129791997,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4724 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1640,1080823904366895809,4323297674129791997,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4072 /prefetch:8

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1640,1080823904366895809,4323297674129791997,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3004 /prefetch:8

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 5904 -ip 5904

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5904 -s 600

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1640,1080823904366895809,4323297674129791997,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5552 /prefetch:8

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 101628 -ip 101628

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 101628 -s 760

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1640,1080823904366895809,4323297674129791997,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5304 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1640,1080823904366895809,4323297674129791997,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5456 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1640,1080823904366895809,4323297674129791997,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5156 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1640,1080823904366895809,4323297674129791997,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5140 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1640,1080823904366895809,4323297674129791997,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5468 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,1080823904366895809,4323297674129791997,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5460 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\30B9.exe

C:\Users\Admin\AppData\Local\Temp\30B9.exe

C:\Users\Admin\AppData\Local\Temp\30B9.exe

"C:\Users\Admin\AppData\Local\Temp\30B9.exe" -h

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 6868 -ip 6868

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 6868 -s 600

C:\Users\Admin\AppData\Local\Temp\60C3.exe

C:\Users\Admin\AppData\Local\Temp\60C3.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1640,1080823904366895809,4323297674129791997,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1592 /prefetch:8

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im chrome.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff867254f50,0x7ff867254f60,0x7ff867254f70

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1672,12264205893954131032,1825738882829726117,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1800 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1672,12264205893954131032,1825738882829726117,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1688 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1672,12264205893954131032,1825738882829726117,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2228 /prefetch:8

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1672,12264205893954131032,1825738882829726117,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2952 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1672,12264205893954131032,1825738882829726117,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2920 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1672,12264205893954131032,1825738882829726117,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3604 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1672,12264205893954131032,1825738882829726117,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4052 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1672,12264205893954131032,1825738882829726117,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4724 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1672,12264205893954131032,1825738882829726117,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5248 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1672,12264205893954131032,1825738882829726117,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5352 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1672,12264205893954131032,1825738882829726117,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5396 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1672,12264205893954131032,1825738882829726117,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4740 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\C1DF.exe

C:\Users\Admin\AppData\Local\Temp\C1DF.exe

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 184 -p 8364 -ip 8364

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 8364 -s 424

C:\Users\Admin\AppData\Local\Temp\F66D.exe

C:\Users\Admin\AppData\Local\Temp\F66D.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon

C:\Users\Admin\AppData\Local\Temp\F66D.exe

"C:\Users\Admin\AppData\Local\Temp\F66D.exe"

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 8840 -ip 8840

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 8840 -s 872

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1672,12264205893954131032,1825738882829726117,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3572 /prefetch:8

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1672,12264205893954131032,1825738882829726117,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2816 /prefetch:8

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\tor.exe

"C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\tor.exe" --nt-service -f "C:\Users\Admin\AppData\Local\Temp\csrss\tor\torrc" --Log "notice file C:\Users\Admin\AppData\Local\Temp\csrss\tor\log.txt"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WmiPrvSE D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WmiPrvSE D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1672,12264205893954131032,1825738882829726117,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3996 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1672,12264205893954131032,1825738882829726117,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 /prefetch:8

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1672,12264205893954131032,1825738882829726117,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4308 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe

C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn "csrss" /f

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn "ScheduledUpdate" /f

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1672,12264205893954131032,1825738882829726117,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2788 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1672,12264205893954131032,1825738882829726117,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1596 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1672,12264205893954131032,1825738882829726117,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4308 /prefetch:8

C:\Users\Admin\AppData\Roaming\ivdreur

C:\Users\Admin\AppData\Roaming\ivdreur

C:\Users\Admin\AppData\Roaming\ctdreur

C:\Users\Admin\AppData\Roaming\ctdreur

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 10672 -ip 10672

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 10672 -s 340

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1672,12264205893954131032,1825738882829726117,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1392 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1672,12264205893954131032,1825738882829726117,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4372 /prefetch:8

C:\Users\Admin\AppData\Local\77e00c90-fa40-47f5-8f2d-033a4d006b21\ED40.exe

C:\Users\Admin\AppData\Local\77e00c90-fa40-47f5-8f2d-033a4d006b21\ED40.exe --Task

C:\Users\Admin\AppData\Local\77e00c90-fa40-47f5-8f2d-033a4d006b21\ED40.exe

C:\Users\Admin\AppData\Local\77e00c90-fa40-47f5-8f2d-033a4d006b21\ED40.exe --Task

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1672,12264205893954131032,1825738882829726117,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2608 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1672,12264205893954131032,1825738882829726117,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5176 /prefetch:8

C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1672,12264205893954131032,1825738882829726117,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1548 /prefetch:8

C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir12928_733837519\ChromeRecovery.exe

"C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir12928_733837519\ChromeRecovery.exe" --appguid={8A69D345-D564-463c-AFF1-A69D9E530F96} --browser-version=89.0.4389.114 --sessionid={89c48b89-bade-467f-9ba6-5dad3cf7c696} --system

C:\Users\Admin\AppData\Roaming\ivdreur

C:\Users\Admin\AppData\Roaming\ivdreur

C:\Users\Admin\AppData\Roaming\ctdreur

C:\Users\Admin\AppData\Roaming\ctdreur

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 13160 -ip 13160

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 13160 -s 312

C:\Users\Admin\AppData\Local\77e00c90-fa40-47f5-8f2d-033a4d006b21\ED40.exe

C:\Users\Admin\AppData\Local\77e00c90-fa40-47f5-8f2d-033a4d006b21\ED40.exe --Task

C:\Users\Admin\AppData\Local\77e00c90-fa40-47f5-8f2d-033a4d006b21\ED40.exe

C:\Users\Admin\AppData\Local\77e00c90-fa40-47f5-8f2d-033a4d006b21\ED40.exe --Task

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1672,12264205893954131032,1825738882829726117,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4616 /prefetch:8

C:\Users\Admin\AppData\Local\77e00c90-fa40-47f5-8f2d-033a4d006b21\ED40.exe

C:\Users\Admin\AppData\Local\77e00c90-fa40-47f5-8f2d-033a4d006b21\ED40.exe --Task

C:\Users\Admin\AppData\Local\77e00c90-fa40-47f5-8f2d-033a4d006b21\ED40.exe

C:\Users\Admin\AppData\Local\77e00c90-fa40-47f5-8f2d-033a4d006b21\ED40.exe --Task

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1672,12264205893954131032,1825738882829726117,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2828 /prefetch:8

C:\Users\Admin\AppData\Roaming\ivdreur

C:\Users\Admin\AppData\Roaming\ivdreur

C:\Users\Admin\AppData\Roaming\ctdreur

C:\Users\Admin\AppData\Roaming\ctdreur

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 15152 -ip 15152

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 15152 -s 308

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1672,12264205893954131032,1825738882829726117,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1556 /prefetch:8

C:\Users\Admin\AppData\Local\77e00c90-fa40-47f5-8f2d-033a4d006b21\ED40.exe

C:\Users\Admin\AppData\Local\77e00c90-fa40-47f5-8f2d-033a4d006b21\ED40.exe --Task

C:\Users\Admin\AppData\Local\77e00c90-fa40-47f5-8f2d-033a4d006b21\ED40.exe

C:\Users\Admin\AppData\Local\77e00c90-fa40-47f5-8f2d-033a4d006b21\ED40.exe --Task

Network

Country Destination Domain Proto
US 93.184.220.29:80 tcp
US 93.184.220.29:80 tcp
US 93.184.221.240:80 tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 clients2.google.com udp
NL 172.217.168.238:443 clients2.google.com udp
NL 142.251.36.45:443 accounts.google.com udp
NL 172.217.168.238:443 clients2.google.com tcp
NL 142.251.36.45:443 accounts.google.com tcp
US 8.8.8.8:53 edgedl.me.gvt1.com udp
US 34.104.35.123:80 edgedl.me.gvt1.com tcp
US 8.8.8.8:53 apis.google.com udp
NL 216.58.214.14:443 apis.google.com tcp
US 8.8.8.8:53 monsutiur4.com udp
NL 185.237.206.60:80 monsutiur4.com tcp
US 52.182.143.210:443 tcp
US 8.8.8.8:53 nusurionuy5ff.at udp
US 8.8.8.8:53 moroitomo4.net udp
US 8.8.8.8:53 susuerulianita1.net udp
US 8.8.8.8:53 cucumbetuturel4.com udp
US 8.8.8.8:53 nunuslushau.com udp
US 8.8.8.8:53 linislominyt11.at udp
KR 211.171.233.126:80 linislominyt11.at tcp
KR 211.171.233.126:80 linislominyt11.at tcp
KR 211.171.233.126:80 linislominyt11.at tcp
KR 211.171.233.126:80 linislominyt11.at tcp
RU 78.153.144.84:27027 tcp
KR 211.171.233.126:80 linislominyt11.at tcp
KR 211.171.233.126:80 linislominyt11.at tcp
KR 211.171.233.126:80 linislominyt11.at tcp
US 8.8.8.8:53 api.2ip.ua udp
NL 162.0.217.254:443 api.2ip.ua tcp
KR 211.171.233.126:80 linislominyt11.at tcp
NL 162.0.217.254:443 api.2ip.ua tcp
US 8.8.8.8:53 rgyui.top udp
US 8.8.8.8:53 acacaca.org udp
BG 91.139.196.113:80 rgyui.top tcp
ER 196.200.111.5:80 acacaca.org tcp
ER 196.200.111.5:80 acacaca.org tcp
KR 211.171.233.126:80 linislominyt11.at tcp
RU 176.122.23.55:11768 tcp
KR 211.171.233.126:80 linislominyt11.at tcp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
DE 116.202.179.139:80 116.202.179.139 tcp
RU 85.192.63.184:80 85.192.63.184 tcp
KR 211.171.233.126:80 linislominyt11.at tcp
KR 211.171.233.126:80 linislominyt11.at tcp
KR 211.171.233.126:80 linislominyt11.at tcp
KR 211.171.233.126:80 linislominyt11.at tcp
US 8.8.8.8:53 edx.ajn322aa.com udp
US 104.21.90.234:443 edx.ajn322aa.com tcp
KR 211.171.233.126:80 linislominyt11.at tcp
US 8.8.8.8:53 ojinsei.com udp
KR 211.171.233.126:80 linislominyt11.at tcp
RU 178.20.42.96:80 ojinsei.com tcp
RU 178.20.42.96:80 ojinsei.com tcp
RU 178.20.42.96:80 ojinsei.com tcp
RU 178.20.42.96:80 ojinsei.com tcp
RU 178.20.42.96:80 ojinsei.com tcp
RU 178.20.42.96:80 ojinsei.com tcp
US 8.8.8.8:53 www.mp3infonice.top udp
RU 178.20.42.96:80 ojinsei.com tcp
RU 178.20.42.96:80 ojinsei.com tcp
RU 178.20.42.96:80 ojinsei.com tcp
DE 161.97.101.255:80 www.mp3infonice.top tcp
RU 178.20.42.96:80 ojinsei.com tcp
RU 178.20.42.96:80 ojinsei.com tcp
US 8.8.8.8:53 github.com udp
DE 140.82.121.3:443 github.com tcp
KR 211.171.233.126:80 linislominyt11.at tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 www.icodeps.com udp
US 149.28.253.196:443 www.icodeps.com tcp
RU 178.20.42.96:80 ojinsei.com tcp
US 8.8.8.8:53 www.oovi.it udp
IT 217.64.195.204:80 www.oovi.it tcp
US 8.8.8.8:53 ocsp.trust-provider.cn udp
RU 178.20.42.96:80 ojinsei.com tcp
NL 47.246.48.208:80 ocsp.trust-provider.cn tcp
RU 178.20.42.96:80 ojinsei.com tcp
US 8.8.8.8:53 iplogger.org udp
DE 148.251.234.83:443 iplogger.org tcp
RU 178.20.42.96:80 ojinsei.com tcp
RU 178.20.42.96:80 ojinsei.com tcp
RU 178.20.42.96:80 ojinsei.com tcp
RU 178.20.42.96:80 ojinsei.com tcp
RU 85.192.63.184:80 85.192.63.184 tcp
RU 178.20.42.96:80 ojinsei.com tcp
RU 178.20.42.96:80 ojinsei.com tcp
VN 103.89.90.61:34589 tcp
RU 178.20.42.96:80 ojinsei.com tcp
RU 78.153.144.6:2510 tcp
RU 178.20.42.96:80 ojinsei.com tcp
NL 149.154.167.99:443 t.me tcp
DE 116.203.167.5:80 116.203.167.5 tcp
RU 178.20.42.96:80 ojinsei.com tcp
RU 178.20.42.96:80 ojinsei.com tcp
DE 116.202.180.202:80 116.202.180.202 tcp
RU 178.20.42.96:80 ojinsei.com tcp
RU 178.20.42.96:80 ojinsei.com tcp
KR 211.171.233.126:80 linislominyt11.at tcp
RU 178.20.42.96:80 ojinsei.com tcp
RU 178.20.42.96:80 ojinsei.com tcp
RU 178.20.42.96:80 ojinsei.com tcp
RU 178.20.42.96:80 ojinsei.com tcp
US 8.8.8.8:53 ysanhumeg1.com udp
US 8.8.8.8:53 i.xyzgamei.com udp
US 104.21.86.228:443 i.xyzgamei.com tcp
US 8.8.8.8:53 geo.netsupportsoftware.com udp
US 140.82.15.232:2970 ysanhumeg1.com tcp
GB 62.172.138.35:80 geo.netsupportsoftware.com tcp
US 8.8.8.8:53 b.game2723.com udp
US 188.114.96.0:443 b.game2723.com tcp
KR 211.171.233.126:80 linislominyt11.at tcp
US 8.8.8.8:53 v.xyzgamev.com udp
US 172.67.188.70:443 v.xyzgamev.com tcp
US 8.8.8.8:53 fergrt.s3.us-west-2.amazonaws.com udp
NL 142.251.36.45:443 accounts.google.com udp
NL 172.217.168.238:443 clients2.google.com udp
US 52.218.222.9:443 fergrt.s3.us-west-2.amazonaws.com tcp
US 8.8.8.8:53 m.facebook.com udp
ES 31.13.83.36:443 m.facebook.com tcp
NL 142.251.36.45:443 accounts.google.com tcp
NL 172.217.168.238:443 clients2.google.com tcp
US 52.218.222.9:443 fergrt.s3.us-west-2.amazonaws.com tcp
US 34.104.35.123:80 edgedl.me.gvt1.com tcp
US 8.8.8.8:53 secure.facebook.com udp
ES 31.13.83.17:443 secure.facebook.com tcp
US 8.8.8.8:53 www.sadcsaheec.xyz udp
US 172.67.209.68:80 www.sadcsaheec.xyz tcp
US 8.8.8.8:53 www.facebook.com udp
NL 157.240.247.35:443 www.facebook.com tcp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:443 dns.google tcp
US 8.8.8.8:443 dns.google tcp
KR 211.171.233.126:80 linislominyt11.at tcp
US 8.8.8.8:53 trustnero.com udp
US 8.8.8.8:443 dns.google udp
US 13.107.21.200:443 tcp
NL 216.58.214.3:443 ssl.gstatic.com tcp
US 8.8.8.8:443 dns.google tcp
US 8.8.8.8:53 dns.google udp
KR 211.171.233.126:80 linislominyt11.at tcp
KR 211.171.233.126:80 linislominyt11.at tcp
US 172.67.188.70:443 v.xyzgamev.com tcp
KR 211.171.233.126:80 linislominyt11.at tcp
KR 211.171.233.126:80 linislominyt11.at tcp
US 149.28.253.196:443 www.icodeps.com tcp
DE 148.251.234.83:443 iplogger.org tcp
US 8.8.8.8:53 linislominyt11.at udp
ER 196.200.111.5:80 linislominyt11.at tcp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 clients2.google.com udp
US 8.8.8.8:53 fergrt.s3.us-west-2.amazonaws.com udp
US 8.8.8.8:53 update.googleapis.com udp
ES 31.13.83.36:443 m.facebook.com tcp
NL 172.217.168.238:443 clients2.google.com udp
NL 142.251.36.45:443 accounts.google.com udp
NL 142.250.179.163:443 update.googleapis.com tcp
US 52.218.246.57:443 fergrt.s3.us-west-2.amazonaws.com tcp
NL 142.251.36.45:443 accounts.google.com tcp
NL 172.217.168.238:443 clients2.google.com tcp
RU 178.20.42.96:80 ojinsei.com tcp
ES 31.13.83.17:443 secure.facebook.com tcp
US 172.67.209.68:80 www.sadcsaheec.xyz tcp
US 8.8.8.8:53 www.facebook.com udp
NL 157.240.247.35:443 www.facebook.com tcp
US 8.8.8.8:443 dns.google tcp
US 8.8.8.8:443 dns.google tcp
ER 196.200.111.5:80 linislominyt11.at tcp
ER 196.200.111.5:80 linislominyt11.at tcp
ER 196.200.111.5:80 linislominyt11.at tcp
US 8.8.8.8:53 7c4e6943-5bf0-45b8-b9c9-da984108c0a9.uuid.dg2sz7pxs7llf2t25fsbutlvvrjij4pmojugn75cmxnvoshmju6dzcad.onion udp
US 8.8.8.8:53 sofolisk.com udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 stun.l.google.com udp
US 74.125.128.127:19302 stun.l.google.com udp
US 162.159.135.233:443 cdn.discordapp.com tcp
N/A 127.0.0.1:31464 tcp
N/A 127.0.0.1:50198 tcp
US 198.98.62.79:9000 tcp
US 140.82.16.129:6910 tcp
DE 136.243.92.194:9001 tcp
IL 83.229.71.97:443 tcp
US 135.148.150.100:443 tcp
N/A 127.0.0.1:31464 tcp
US 8.8.8.8:443 dns.google udp
NL 142.250.179.163:443 update.googleapis.com tcp
RU 178.20.42.96:80 ojinsei.com tcp
DE 136.243.92.194:9001 tcp
US 135.148.150.100:443 tcp
US 8.8.8.8:53 edgedl.me.gvt1.com udp
US 34.104.35.123:80 edgedl.me.gvt1.com tcp
US 8.8.8.8:443 dns.google udp
NL 216.58.208.99:443 beacons.gcp.gvt2.com tcp
RU 178.20.42.96:80 ojinsei.com tcp
N/A 127.0.0.1:31464 tcp
US 8.8.8.8:53 sofolisk.com udp
NL 142.250.179.163:443 update.googleapis.com udp
N/A 127.0.0.1:31464 tcp
US 8.8.8.8:53 stun1.l.google.com udp
IN 172.253.121.127:19302 stun1.l.google.com udp
US 8.8.8.8:443 dns.google udp
US 8.8.8.8:53 www.listfcbt.top udp
US 8.8.8.8:53 www.typefdq.xyz udp
US 23.230.210.157:80 tcp
US 23.230.210.157:80 tcp
NL 216.58.208.99:443 udp
US 34.104.35.123:80 edgedl.me.gvt1.com tcp
NL 142.250.179.163:443 update.googleapis.com udp
US 8.8.8.8:443 dns.google udp
NL 142.250.179.170:443 safebrowsing.googleapis.com tcp
US 34.104.35.123:80 edgedl.me.gvt1.com tcp
NL 142.250.179.163:443 update.googleapis.com udp
US 8.8.8.8:443 dns.google udp
ES 31.13.83.36:443 m.facebook.com tcp
NL 142.250.179.170:443 udp
ES 31.13.83.17:443 secure.facebook.com tcp
NL 157.240.201.35:443 www.facebook.com tcp
US 34.104.35.123:80 edgedl.me.gvt1.com tcp
US 8.8.8.8:443 dns.google udp
NL 142.250.179.163:443 update.googleapis.com udp
US 8.8.8.8:53 ojinsei.com udp
RU 178.20.42.96:80 ojinsei.com tcp
US 8.8.8.8:443 dns.google udp
ES 31.13.83.36:443 m.facebook.com tcp
ES 31.13.83.17:443 secure.facebook.com tcp
NL 157.240.247.35:443 www.facebook.com tcp
US 8.8.8.8:53 api.2ip.ua udp
NL 162.0.217.254:443 api.2ip.ua tcp
US 34.104.35.123:80 edgedl.me.gvt1.com tcp
NL 142.250.179.163:443 update.googleapis.com udp
US 8.8.8.8:53 linislominyt11.at udp
ER 196.200.111.5:80 linislominyt11.at tcp
US 34.104.35.123:80 edgedl.me.gvt1.com tcp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:443 dns.google udp
NL 142.250.179.163:443 update.googleapis.com udp
US 8.8.8.8:53 api.2ip.ua udp
NL 162.0.217.254:443 api.2ip.ua tcp
US 34.104.35.123:80 edgedl.me.gvt1.com tcp
NL 142.250.179.163:443 update.googleapis.com udp
US 8.8.8.8:53 ojinsei.com udp
RU 178.20.42.96:80 ojinsei.com tcp
RU 178.20.42.96:80 ojinsei.com tcp
US 8.8.8.8:443 dns.google udp
PT 157.240.212.35:443 tcp
US 8.8.8.8:443 dns.google udp
NL 142.250.179.170:443 udp
PT 157.240.212.15:443 tcp
NL 157.240.201.35:443 www.facebook.com tcp
NL 162.0.217.254:443 api.2ip.ua tcp
US 34.104.35.123:80 edgedl.me.gvt1.com tcp
US 8.8.8.8:443 dns.google udp
NL 142.250.179.163:443 update.googleapis.com udp
US 8.8.8.8:53 linislominyt11.at udp
EG 41.41.255.235:80 linislominyt11.at tcp
US 34.104.35.123:80 edgedl.me.gvt1.com tcp
NL 142.250.179.163:443 update.googleapis.com udp
US 8.8.8.8:53 api.2ip.ua udp
NL 162.0.217.254:443 api.2ip.ua tcp

Files

memory/3520-132-0x0000000002D58000-0x0000000002D69000-memory.dmp

memory/3520-133-0x0000000002BF0000-0x0000000002BF9000-memory.dmp

memory/3520-134-0x0000000000400000-0x0000000002B7F000-memory.dmp

memory/3520-135-0x0000000000400000-0x0000000002B7F000-memory.dmp

\??\pipe\crashpad_4848_JRVTAXFHQGYDRIPV

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/3952-137-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

MD5 7b07d0f85b76867011ceee0c1b906350
SHA1 dbdfb3ace24ff0ec4f46029116b8b7a7fdc9d7d7
SHA256 8d820dad44da63c0999e3b5bb79ebf299190d441dd357bae3e29a648d4a2d923
SHA512 ca7c3e70c798f7dcaed3f499ac1281c88feeb86d73c2e6823fd0c4f71dfa3f2d007f01554565f8f3cdbefd1b0042220220c2545a8e937a3da1ac352239f52301

memory/1348-139-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\736B.exe

MD5 7ee26071eccd624c58596bb7e356c8c3
SHA1 2c61201ce36e236c30c350bfae82fa74d21c89cb
SHA256 69fde9e6449ac4f800f47188a10e04db056c0b570876b254c93d3a8d94d2016b
SHA512 7cd53f55077e02d2982c15963da8ad0ccb254063196c21a8cc0803f474a86ddf5e8ba48c4d6b8f74020074b76319fde082fcc12bedd7c69e75e3597f2ec5f562

C:\Users\Admin\AppData\Local\Temp\736B.exe

MD5 7ee26071eccd624c58596bb7e356c8c3
SHA1 2c61201ce36e236c30c350bfae82fa74d21c89cb
SHA256 69fde9e6449ac4f800f47188a10e04db056c0b570876b254c93d3a8d94d2016b
SHA512 7cd53f55077e02d2982c15963da8ad0ccb254063196c21a8cc0803f474a86ddf5e8ba48c4d6b8f74020074b76319fde082fcc12bedd7c69e75e3597f2ec5f562

memory/1348-142-0x0000000000B79000-0x0000000000BAA000-memory.dmp

memory/1348-143-0x0000000000B10000-0x0000000000B4E000-memory.dmp

memory/1348-144-0x0000000005070000-0x0000000005614000-memory.dmp

memory/1348-145-0x0000000004FB0000-0x0000000005042000-memory.dmp

memory/1348-146-0x0000000000400000-0x000000000086C000-memory.dmp

memory/1348-147-0x00000000058B0000-0x0000000005EC8000-memory.dmp

memory/1348-148-0x00000000056D0000-0x00000000057DA000-memory.dmp

memory/1348-149-0x0000000005800000-0x0000000005812000-memory.dmp

memory/1348-150-0x0000000005820000-0x000000000585C000-memory.dmp

memory/1348-151-0x0000000006140000-0x00000000061A6000-memory.dmp

memory/1348-152-0x0000000000B79000-0x0000000000BAA000-memory.dmp

memory/1348-153-0x0000000000B10000-0x0000000000B4E000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 12769bc4cd44cec7064839508d7217fa
SHA1 334cf07e25dd1979d7e5b65be6966fc5cb1a5488
SHA256 c8c35f9302e39608fa3ae5ffca4a4b8d993721388df6120c2a29df011ca69eeb
SHA512 ab49340368ae340da66617833565f2cce735d6b2484a4da86aef58983dd346ee1f378f2b8cf1c3ffa8f3574da0005148760de054628efc2864dbe45638ddf98e

memory/1348-155-0x0000000006930000-0x0000000006AF2000-memory.dmp

memory/1348-156-0x0000000006B10000-0x000000000703C000-memory.dmp

memory/2892-157-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\B8F1.dll

MD5 43aa7572e12c1a6abc3693dc21263f3c
SHA1 03407624fb118ad0ee214a597e034e96da83dc5b
SHA256 3446ad49d514cc5847556076ec821602a48353fd794647b0df6092a2e5db0e8c
SHA512 f7660d97d2f7882b99d931b13c7a0b5ef74350dffffbdcdad01259e19cbd5fa3d6597c6d96b0fa937a07e6b88f6e977f2e3f1fd1c50dfa22c32151061d773071

memory/4368-159-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\B8F1.dll

MD5 43aa7572e12c1a6abc3693dc21263f3c
SHA1 03407624fb118ad0ee214a597e034e96da83dc5b
SHA256 3446ad49d514cc5847556076ec821602a48353fd794647b0df6092a2e5db0e8c
SHA512 f7660d97d2f7882b99d931b13c7a0b5ef74350dffffbdcdad01259e19cbd5fa3d6597c6d96b0fa937a07e6b88f6e977f2e3f1fd1c50dfa22c32151061d773071

memory/4368-162-0x00000000020E0000-0x000000000221F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\B8F1.dll

MD5 43aa7572e12c1a6abc3693dc21263f3c
SHA1 03407624fb118ad0ee214a597e034e96da83dc5b
SHA256 3446ad49d514cc5847556076ec821602a48353fd794647b0df6092a2e5db0e8c
SHA512 f7660d97d2f7882b99d931b13c7a0b5ef74350dffffbdcdad01259e19cbd5fa3d6597c6d96b0fa937a07e6b88f6e977f2e3f1fd1c50dfa22c32151061d773071

memory/1348-164-0x0000000000400000-0x000000000086C000-memory.dmp

memory/1348-163-0x0000000000B79000-0x0000000000BAA000-memory.dmp

memory/4368-165-0x0000000002440000-0x000000000255C000-memory.dmp

memory/4368-166-0x0000000002680000-0x000000000279C000-memory.dmp

memory/4528-167-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\ED40.exe

MD5 63fbba2c86860c166b25c7849532c0e1
SHA1 32446a756c0cbf25d358ed5a5285e6588b1fde3e
SHA256 fe84604ed272e27b4962752b90be7b12eaf3f056b86aa1f8b05ddf75297b59aa
SHA512 a796874aeb58336591f1120932db96152fb05fac55cbe07855c669cf739f18d656ffb02180fe40c6f706070840ba1e5d13c05d37bd547cc87d87f70c9bd10063

C:\Users\Admin\AppData\Local\Temp\ED40.exe

MD5 63fbba2c86860c166b25c7849532c0e1
SHA1 32446a756c0cbf25d358ed5a5285e6588b1fde3e
SHA256 fe84604ed272e27b4962752b90be7b12eaf3f056b86aa1f8b05ddf75297b59aa
SHA512 a796874aeb58336591f1120932db96152fb05fac55cbe07855c669cf739f18d656ffb02180fe40c6f706070840ba1e5d13c05d37bd547cc87d87f70c9bd10063

memory/4600-170-0x0000000000000000-mapping.dmp

memory/4600-171-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4528-174-0x00000000046F1000-0x0000000004783000-memory.dmp

memory/4600-173-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ED40.exe

MD5 63fbba2c86860c166b25c7849532c0e1
SHA1 32446a756c0cbf25d358ed5a5285e6588b1fde3e
SHA256 fe84604ed272e27b4962752b90be7b12eaf3f056b86aa1f8b05ddf75297b59aa
SHA512 a796874aeb58336591f1120932db96152fb05fac55cbe07855c669cf739f18d656ffb02180fe40c6f706070840ba1e5d13c05d37bd547cc87d87f70c9bd10063

memory/4600-176-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4528-175-0x00000000048E0000-0x00000000049FB000-memory.dmp

memory/4600-177-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4368-178-0x0000000002000000-0x00000000020BE000-memory.dmp

memory/4368-179-0x00000000027A0000-0x0000000002849000-memory.dmp

memory/4472-182-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\77e00c90-fa40-47f5-8f2d-033a4d006b21\ED40.exe

MD5 63fbba2c86860c166b25c7849532c0e1
SHA1 32446a756c0cbf25d358ed5a5285e6588b1fde3e
SHA256 fe84604ed272e27b4962752b90be7b12eaf3f056b86aa1f8b05ddf75297b59aa
SHA512 a796874aeb58336591f1120932db96152fb05fac55cbe07855c669cf739f18d656ffb02180fe40c6f706070840ba1e5d13c05d37bd547cc87d87f70c9bd10063

memory/4368-184-0x0000000002680000-0x000000000279C000-memory.dmp

memory/1124-185-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\ED40.exe

MD5 63fbba2c86860c166b25c7849532c0e1
SHA1 32446a756c0cbf25d358ed5a5285e6588b1fde3e
SHA256 fe84604ed272e27b4962752b90be7b12eaf3f056b86aa1f8b05ddf75297b59aa
SHA512 a796874aeb58336591f1120932db96152fb05fac55cbe07855c669cf739f18d656ffb02180fe40c6f706070840ba1e5d13c05d37bd547cc87d87f70c9bd10063

memory/4600-187-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1108-188-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\ED40.exe

MD5 63fbba2c86860c166b25c7849532c0e1
SHA1 32446a756c0cbf25d358ed5a5285e6588b1fde3e
SHA256 fe84604ed272e27b4962752b90be7b12eaf3f056b86aa1f8b05ddf75297b59aa
SHA512 a796874aeb58336591f1120932db96152fb05fac55cbe07855c669cf739f18d656ffb02180fe40c6f706070840ba1e5d13c05d37bd547cc87d87f70c9bd10063

memory/1108-193-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1124-192-0x0000000002D96000-0x0000000002E28000-memory.dmp

memory/1108-191-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5 e9339a94c679e0b8175865495623293b
SHA1 cda8a83d18b90bb5ea384db0f16d1f7494da1e4f
SHA256 49fb16c5369f16f0f1e26ea890b45b2e2b1dd3fd769999b73d1df68e8ff5224b
SHA512 e3b724a071cbbdf4f69a4cbb88ddfaaf42c46a4ef5706c164a8fc6e135c15b96deade85078921f3ff7f6ed36b6d229852f9ad2ccfb62037fee18c6d2207899b2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5 215064dd8b4566627489319b46e9ca43
SHA1 7fa698eef5f02a961b5862df135d7ebfd8a12292
SHA256 390f76fdb79029603900524df2f0fbfd05bf18a3bbc74b9b05b2a6dc5938393c
SHA512 2a5b12b41d728ce30f1712d23226bbefe73111b786156b97126d6497ef234e78feaf6db08c7412eaa336c869b93ab239cd46b33cc31ff2c8497214cba5927753

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 a6a0160f7dee79a316edde54d910ebaa
SHA1 9b374842b8954e8b27a06f22f1c0de15ea768c31
SHA256 f3646358e7a0d83e1140296fb384dc20e38a165f8f086cf240ace49e27e5b7c0
SHA512 1510a5ac8bb5d3f7a3be3397ef5266861df92bb72d013d8f9432dae8f4310d7d494e67f6b49b712519fb96ef085eb1e233eb8bd4e42bfee10faf0f6da64e4b98

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 e0a6e5edaa81c8c7c6867e617270d1e1
SHA1 d07908a63100d12787a377adea0fa58ec088e4ed
SHA256 94afcda42b4d811bca6d73342409f85256300c9c4cb73efde59724f0ff2b2c7c
SHA512 fa1c6dd9be0eb2cd5487b035e3cc61a7de93bb4d7ecd397cb3c51f16d748188aaef98263b4b4769a06b3cb98aef35b613070796ab244d50e929343e4a69fc171

memory/1108-199-0x0000000000400000-0x0000000000537000-memory.dmp

memory/768-200-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\c3431e54-b722-41b1-8785-7de30dbab01d\build2.exe

MD5 8d7db6982df46c3b0f0cc879d892c08a
SHA1 64e3d7ab4793aeb05d18a82159c579e05c45fd71
SHA256 116e15e94d70dde65f91f155580bd9b34ff1956b9ebe1a53b6bce912b281c1f6
SHA512 0eeb242e6e1356a2a9e3183f12439ef36fac40e27ac8c0df5f591c7b3c1324145627c92c3fee15aedee2c1e8cc3b966152af73a33196166c2c1bfbbd979bdb5b

C:\Users\Admin\AppData\Local\c3431e54-b722-41b1-8785-7de30dbab01d\build2.exe

MD5 8d7db6982df46c3b0f0cc879d892c08a
SHA1 64e3d7ab4793aeb05d18a82159c579e05c45fd71
SHA256 116e15e94d70dde65f91f155580bd9b34ff1956b9ebe1a53b6bce912b281c1f6
SHA512 0eeb242e6e1356a2a9e3183f12439ef36fac40e27ac8c0df5f591c7b3c1324145627c92c3fee15aedee2c1e8cc3b966152af73a33196166c2c1bfbbd979bdb5b

memory/3320-203-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\14CE.exe

MD5 e23bcbf0e2d0e527c3ded13c38529e45
SHA1 0743b3295b0b51532541531626884dd39a1caffb
SHA256 1b6e45ac04753507e206951ec78dad28671859ae9de7963799cfb9ddb6715bec
SHA512 c4f5e108f89906c3ebdadf2d147766c34701d88bc858df987138a030399c0760ae94ad8d05576d998dff81b78421a1daa5d911b9c66a50d9557c54cd39dde419

C:\Users\Admin\AppData\Local\Temp\14CE.exe

MD5 e23bcbf0e2d0e527c3ded13c38529e45
SHA1 0743b3295b0b51532541531626884dd39a1caffb
SHA256 1b6e45ac04753507e206951ec78dad28671859ae9de7963799cfb9ddb6715bec
SHA512 c4f5e108f89906c3ebdadf2d147766c34701d88bc858df987138a030399c0760ae94ad8d05576d998dff81b78421a1daa5d911b9c66a50d9557c54cd39dde419

memory/101460-206-0x0000000000000000-mapping.dmp

memory/101460-207-0x0000000000400000-0x0000000000460000-memory.dmp

memory/101560-212-0x0000000000000000-mapping.dmp

memory/101560-213-0x0000000000400000-0x000000000045D000-memory.dmp

C:\Users\Admin\AppData\Local\c3431e54-b722-41b1-8785-7de30dbab01d\build2.exe

MD5 8d7db6982df46c3b0f0cc879d892c08a
SHA1 64e3d7ab4793aeb05d18a82159c579e05c45fd71
SHA256 116e15e94d70dde65f91f155580bd9b34ff1956b9ebe1a53b6bce912b281c1f6
SHA512 0eeb242e6e1356a2a9e3183f12439ef36fac40e27ac8c0df5f591c7b3c1324145627c92c3fee15aedee2c1e8cc3b966152af73a33196166c2c1bfbbd979bdb5b

memory/768-215-0x00000000008DA000-0x0000000000906000-memory.dmp

memory/101560-218-0x0000000000400000-0x000000000045D000-memory.dmp

memory/768-217-0x00000000023B0000-0x00000000023F9000-memory.dmp

memory/101560-216-0x0000000000400000-0x000000000045D000-memory.dmp

memory/101560-219-0x0000000000400000-0x000000000045D000-memory.dmp

memory/101660-220-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\2B36.exe

MD5 f743240965c804b072992fb9c4745da7
SHA1 12f05100ab53dbe2d1424c35c18b82436ea4e49c
SHA256 29d59f7c3921481456a5acb73125f543ff20f7b2b3aa3e03d5ff70fdb6006732
SHA512 69d7e3d7e7a1db994b51355cc834686ff8248bfe87c147e8963e03a9bde489f1973bfd84122eb4dfe89077afdb51b27f17270f2b2274e0d453221039e3dc591c

C:\Users\Admin\AppData\Local\Temp\2B36.exe

MD5 f743240965c804b072992fb9c4745da7
SHA1 12f05100ab53dbe2d1424c35c18b82436ea4e49c
SHA256 29d59f7c3921481456a5acb73125f543ff20f7b2b3aa3e03d5ff70fdb6006732
SHA512 69d7e3d7e7a1db994b51355cc834686ff8248bfe87c147e8963e03a9bde489f1973bfd84122eb4dfe89077afdb51b27f17270f2b2274e0d453221039e3dc591c

C:\ProgramData\sqlite3.dll

MD5 e477a96c8f2b18d6b5c27bde49c990bf
SHA1 e980c9bf41330d1e5bd04556db4646a0210f7409
SHA256 16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660
SHA512 335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c

C:\ProgramData\mozglue.dll

MD5 8f73c08a9660691143661bf7332c3c27
SHA1 37fa65dd737c50fda710fdbde89e51374d0c204a
SHA256 3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd
SHA512 0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

C:\ProgramData\nss3.dll

MD5 bfac4e3c5908856ba17d41edcd455a51
SHA1 8eec7e888767aa9e4cca8ff246eb2aacb9170428
SHA256 e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78
SHA512 2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

memory/1108-226-0x0000000000400000-0x0000000000537000-memory.dmp

memory/101720-227-0x0000000000000000-mapping.dmp

memory/101660-228-0x0000000002D19000-0x0000000002D2A000-memory.dmp

memory/101560-230-0x0000000000400000-0x000000000045D000-memory.dmp

memory/101660-229-0x0000000002BB0000-0x0000000002BB9000-memory.dmp

memory/101780-231-0x0000000000000000-mapping.dmp

memory/101824-232-0x0000000000000000-mapping.dmp

memory/101660-233-0x0000000000400000-0x0000000002B7E000-memory.dmp

memory/101660-234-0x0000000000400000-0x0000000002B7E000-memory.dmp

memory/101660-235-0x0000000002D19000-0x0000000002D2A000-memory.dmp

memory/101900-236-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\5573.exe

MD5 327c4866682df9566e7f6379bc3af70d
SHA1 a30b624bd413bfe0910f13ce2fd274e7f913ad3a
SHA256 b534f2d22a5f8a0e2acfdb77bc21e3c13172725a4bb9a8a1e22cf89dfb16a727
SHA512 7e1bfcd8b2c811da59c32bd666da48412a52196592f27237f0f108d1b773eb9338a3f4ba570d1137b1ea09c858577186a3e285cda5df476bc2f498e404a9e048

C:\Users\Admin\AppData\Local\Temp\5573.exe

MD5 327c4866682df9566e7f6379bc3af70d
SHA1 a30b624bd413bfe0910f13ce2fd274e7f913ad3a
SHA256 b534f2d22a5f8a0e2acfdb77bc21e3c13172725a4bb9a8a1e22cf89dfb16a727
SHA512 7e1bfcd8b2c811da59c32bd666da48412a52196592f27237f0f108d1b773eb9338a3f4ba570d1137b1ea09c858577186a3e285cda5df476bc2f498e404a9e048

memory/101900-239-0x0000000002C09000-0x0000000002C1A000-memory.dmp

memory/101900-240-0x0000000000400000-0x0000000002B7F000-memory.dmp

memory/101948-241-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\75AE.exe

MD5 5a5818de3886c0ffaa7071e70d003eb6
SHA1 c4e62f5c1b674a80fdd48b6fe37e3e59607a7f2e
SHA256 4fac63cb799cc9da04b4332602ad9b4538dd2429ffcf2f8065ec598b2c6aa6a2
SHA512 07ba01218477f3cacd9846b16d9dc742b0e8b4afdca43aba3696b742063316d7fe0c15504c8ebbee20f3f4b42532960698308b45e5d2b55fcc536af28522b8ca

C:\Users\Admin\AppData\Local\Temp\75AE.exe

MD5 5a5818de3886c0ffaa7071e70d003eb6
SHA1 c4e62f5c1b674a80fdd48b6fe37e3e59607a7f2e
SHA256 4fac63cb799cc9da04b4332602ad9b4538dd2429ffcf2f8065ec598b2c6aa6a2
SHA512 07ba01218477f3cacd9846b16d9dc742b0e8b4afdca43aba3696b742063316d7fe0c15504c8ebbee20f3f4b42532960698308b45e5d2b55fcc536af28522b8ca

memory/101948-244-0x0000000140000000-0x0000000140608000-memory.dmp

memory/101900-248-0x0000000000400000-0x0000000002B7F000-memory.dmp

memory/102068-249-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\9BC5.exe

MD5 9e9e7ad2a575a1ee322b618cb9cfdf05
SHA1 42dba5e712f382a684deb20ededef154c74b24bc
SHA256 1a90eaf03ec44e61a6ee97be6b8757cc12b9d0a5c2904fa3652d651a92bbd6f1
SHA512 0c48cc0988b1153d5442a0409911be9dbee1db5b2ea1d3f12847b12a4e70eb9416600ee079eac58d0c3ac628d388c6037574278f69d0e8e69f7c9f24a127bc5e

C:\Users\Admin\AppData\Local\Temp\9BC5.exe

MD5 9e9e7ad2a575a1ee322b618cb9cfdf05
SHA1 42dba5e712f382a684deb20ededef154c74b24bc
SHA256 1a90eaf03ec44e61a6ee97be6b8757cc12b9d0a5c2904fa3652d651a92bbd6f1
SHA512 0c48cc0988b1153d5442a0409911be9dbee1db5b2ea1d3f12847b12a4e70eb9416600ee079eac58d0c3ac628d388c6037574278f69d0e8e69f7c9f24a127bc5e

memory/102068-252-0x0000000000400000-0x000000000058E000-memory.dmp

memory/102240-253-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\A089.exe

MD5 5e21b82f9633191086c02370b8e0fcef
SHA1 6922b4babff8a6e7db284b48d24c9e9413dc571e
SHA256 293f76c9298e68bd0a6518479dc1c0a56b9067750b417000622f36974c3adf51
SHA512 0bd3fa11744010c9c49e2cc6d6175b34ef9dd4d72077de2a10c65d9ca0cd779b7e652255288c12a7f52e35581ac57c435383b4c9bbb41c18cb3f61e0603ecc59

C:\Users\Admin\AppData\Local\Temp\A089.exe

MD5 5e21b82f9633191086c02370b8e0fcef
SHA1 6922b4babff8a6e7db284b48d24c9e9413dc571e
SHA256 293f76c9298e68bd0a6518479dc1c0a56b9067750b417000622f36974c3adf51
SHA512 0bd3fa11744010c9c49e2cc6d6175b34ef9dd4d72077de2a10c65d9ca0cd779b7e652255288c12a7f52e35581ac57c435383b4c9bbb41c18cb3f61e0603ecc59

C:\Users\Admin\AppData\Local\Temp\A2BC.exe

MD5 680941072df99398bee3f58c238c3e78
SHA1 4b74318d563669210fb193abaa90dda3eb98d457
SHA256 d83ad1fabcac2137e84d25d86b6d219eb5d21f9b7f283445494096e81105a9ef
SHA512 29a30bd4434e1c03a741574900795054818fe0b29f9d5060c24b752b3aa6d47f135a325d30630c59ac20444ab8b7dc704438ba32184414b9062963308b67e8a6

memory/102360-256-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\A2BC.exe

MD5 680941072df99398bee3f58c238c3e78
SHA1 4b74318d563669210fb193abaa90dda3eb98d457
SHA256 d83ad1fabcac2137e84d25d86b6d219eb5d21f9b7f283445494096e81105a9ef
SHA512 29a30bd4434e1c03a741574900795054818fe0b29f9d5060c24b752b3aa6d47f135a325d30630c59ac20444ab8b7dc704438ba32184414b9062963308b67e8a6

memory/101520-259-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\A667.exe

MD5 d311d95c1cbae9b5a21e2c52995a2ae6
SHA1 e6334f2bd1a4fc2926acff2888abb6835605ce70
SHA256 33736e8940993c97705403cdbef1ceacb862b4a2fd126cd99b58718b937a9362
SHA512 abe975a92068a9a77f9e0bff43bc12d66f330e2ae92edc45abc1367168c61477cf6fcba1368e20467576f473aca7d09ad14c97d3417b557f26fb79221a4bcf24

memory/101584-261-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\A667.exe

MD5 d311d95c1cbae9b5a21e2c52995a2ae6
SHA1 e6334f2bd1a4fc2926acff2888abb6835605ce70
SHA256 33736e8940993c97705403cdbef1ceacb862b4a2fd126cd99b58718b937a9362
SHA512 abe975a92068a9a77f9e0bff43bc12d66f330e2ae92edc45abc1367168c61477cf6fcba1368e20467576f473aca7d09ad14c97d3417b557f26fb79221a4bcf24

memory/101700-263-0x0000000000000000-mapping.dmp

memory/101628-264-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\AA8E.exe

MD5 a84c8e2c77a17507decaca28d86e7d57
SHA1 6afcb4c306e76b9bbd896081240567ea82ff0436
SHA256 5604e7359f09162873d428b90304789ddd59b1dbacfd03e4b4f9735e47c40708
SHA512 07d8a6b2277904cc7dcfbf844dcc5e4c227e55710751ad5c66df48440791e1a1c21e9f23f2e54517edeb736d672d2f064fad1f096d55f61c3867a1e5e69ba85c

C:\Users\Admin\AppData\Local\Temp\AA8E.exe

MD5 a84c8e2c77a17507decaca28d86e7d57
SHA1 6afcb4c306e76b9bbd896081240567ea82ff0436
SHA256 5604e7359f09162873d428b90304789ddd59b1dbacfd03e4b4f9735e47c40708
SHA512 07d8a6b2277904cc7dcfbf844dcc5e4c227e55710751ad5c66df48440791e1a1c21e9f23f2e54517edeb736d672d2f064fad1f096d55f61c3867a1e5e69ba85c

memory/101736-267-0x0000000000000000-mapping.dmp

memory/101736-268-0x0000000000400000-0x0000000000428000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log

MD5 09f87ebf033076d4019bf0a9ee1eb2e9
SHA1 b6f912c024056fd8b8353010f948dcbf3836e54a
SHA256 e9328bdf85ab57bacc3b598afe0f3f5da4bab5fbe43f60a8e11df110ecbb949a
SHA512 c7fd8c5b4a770a85c96da0b4dda5953398456f0d5ed9164b0d795835b338e6e5bb194dbfdde25372813e651730da3ccbd4eacd18f9a8524aa804209fb38d5618

memory/712-273-0x0000000000000000-mapping.dmp

memory/712-275-0x0000000000400000-0x0000000000420000-memory.dmp

memory/101684-280-0x0000000000000000-mapping.dmp

memory/101684-281-0x0000000000400000-0x000000000045D000-memory.dmp

memory/101684-287-0x0000000000400000-0x000000000045D000-memory.dmp

memory/3492-288-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\B3E6.exe

MD5 789598a08bc57fea514d9ffd8f072b71
SHA1 7fc3b548b599eca588b54a5d78378be24ba4fc91
SHA256 6a9677534228b1e25cb6b978f465b98c19b08844ea9b559e7538f7ff45bb04c8
SHA512 6bf941b0a72bd9d0ec56b834b9c090d9dbbb4f30e8e63a1d984638e6bfa391d49e99d69cb89ec4de564ed8222dc8ee22ca5708640a52e1e50b8ca1e0d36adf5b

C:\Users\Admin\AppData\Local\Temp\B3E6.exe

MD5 789598a08bc57fea514d9ffd8f072b71
SHA1 7fc3b548b599eca588b54a5d78378be24ba4fc91
SHA256 6a9677534228b1e25cb6b978f465b98c19b08844ea9b559e7538f7ff45bb04c8
SHA512 6bf941b0a72bd9d0ec56b834b9c090d9dbbb4f30e8e63a1d984638e6bfa391d49e99d69cb89ec4de564ed8222dc8ee22ca5708640a52e1e50b8ca1e0d36adf5b

memory/101628-291-0x0000000002DB9000-0x0000000002DCA000-memory.dmp

memory/101628-292-0x0000000002D90000-0x0000000002DA0000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\738FBC066DBD9E6001113366624890A3_53C5D34017BDB72400155AC2819BA60D

MD5 94bb7b19ef48e17751eed332b19aaa74
SHA1 cf003b66ff44c26fa60fa21d83540e0552db82c8
SHA256 c7f950b7e35d8b5d6d60b450e118f30d97e1b5d8934699310b2ff4ec84c916bc
SHA512 5ad11c01e417118e9f45d5e0633b67ae9e8f59f7e94fb01f30f841621ab13a690bed36e4bc55671408096f6e51f72eed6badb6074ab2c1cc49f58adbf187569a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\738FBC066DBD9E6001113366624890A3_53C5D34017BDB72400155AC2819BA60D

MD5 859fa9fa9c01f80587eceb5e131aba60
SHA1 a536af7cadc404a06c5ebbd96e7068d5ce453433
SHA256 9d2efb781da9bc0d288129ddd4f8f4a28f3c459b12a9e31e7f6efc38645fe187
SHA512 ca49d9f63bc9dab9d426f512d15f6ba4649a6ee0fd2423d12e1b3dbca5b4422cadb7607b6db4a08c8f1b783dc5780288c2e580983b57d99903ec439ebd70e193

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771

MD5 0a751af8dec7cee3bcf5b1a312787045
SHA1 482a3e15f36bbb9bfd7d1f46c28978bcc3778de6
SHA256 435533a9bd06ac185c18269e5bd20d15721bb24f4974f09ae10777bcbe60261b
SHA512 84d4b0f742d958773fa2bac487c8f04df1ee28cf213b51a2e7b036d1b583c1797213e9f833d8fe90e6b4257eb7d3f1e75aa9c7e837659ebb98d4f73501170932

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771

MD5 ebfe59c22fe7d0eaa840502169d8e483
SHA1 ea18df8d7de0934f444ad56d8f3bb106d1a00ccb
SHA256 199c935ee9ff8d041c6efebef56ec7d4bb6f68278e9d16645c0b8748851d0d80
SHA512 96e257159061c767ebdefcbd9c16dbb3bedd8503766e49cfd226eb15864de415517bfd93e7a4a4cfd238944015e92a7c8b64a9e5d02b1bf5fe7bad4d8f677bd0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D

MD5 0f659548fdffadc13e95d9f96228d48e
SHA1 65d187f2ccd310e9c7d9b2374fdca882372962dc
SHA256 3f8869afed7cdff14420af9b82b83823f3df3b63a5e5b1e6c4af4bc65162b171
SHA512 37599e87deee460b973f88b91031fbfb156aa68b1314039ab1748bff356210808e78b44b096a55eef7e97fad15ae2b0e3585036faefd8b44f8b76fe112768917

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D

MD5 83543062e4bcb4f1ae50eb4f4686d302
SHA1 fa1b490bc2a329bc3d2a4e4f80bf0f36739fd741
SHA256 77fbf1cba5a2d74933f8915c47c3a700073837d294c74d65beb23e7605c407ce
SHA512 bcc71d3a5b22a0876d80170946e41ec807b1b9c5397e3d8728f2d58c240f456ccc281b9ac2e2fa57ff6bf0b27a89c885cead88c72156ca65d9835f252a97b57d

memory/101628-299-0x0000000000400000-0x0000000002B7E000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

MD5 fdb7b41860e6e129b01d357e66781133
SHA1 fd0c4af1a884b188749337f0ee92a1feb2bc68b5
SHA256 49ba4a07016f322c6c78fb7f53f11776cd6655558f987029217a1efadde901da
SHA512 3365b8eaf73503c9a1f64dc71e2924bf224c422f7e138be4b87d20867f28967bd6ec061b56c5dd35ea61d6f4ab982927fcf3cdd35d1a0231e0a2d8b5e01b43c0

memory/3152-301-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\windows_update_253746\client32.exe

MD5 b2b27ccaded1db8ee341d5bd2c373044
SHA1 1d0f9ca17c0961eeabffc2ba54e16854a13c8a9d
SHA256 e4985a9739637aad4a409c95da33a1304dc17fd6ef9046159b27c0b137a57911
SHA512 0987b11aa110ea6b6f4fe4361e587aff010508251644bdfb681a578fa4726fb56af039d55e0b74682fd7031414f665a98656186b220264c122a47d23751dcee1

C:\Users\Admin\AppData\Roaming\windows_update_253746\PCICL32.dll

MD5 d3d39180e85700f72aaae25e40c125ff
SHA1 f3404ef6322f5c6e7862b507d05b8f4b7f1c7d15
SHA256 38684adb2183bf320eb308a96cdbde8d1d56740166c3e2596161f42a40fa32d5
SHA512 471ac150e93a182d135e5483d6b1492f08a49f5ccab420732b87210f2188be1577ceaaee4ce162a7acceff5c17cdd08dc51b1904228275f6bbde18022ec79d2f

C:\Users\Admin\AppData\Roaming\windows_update_253746\client32.exe

MD5 b2b27ccaded1db8ee341d5bd2c373044
SHA1 1d0f9ca17c0961eeabffc2ba54e16854a13c8a9d
SHA256 e4985a9739637aad4a409c95da33a1304dc17fd6ef9046159b27c0b137a57911
SHA512 0987b11aa110ea6b6f4fe4361e587aff010508251644bdfb681a578fa4726fb56af039d55e0b74682fd7031414f665a98656186b220264c122a47d23751dcee1

memory/101684-305-0x0000000060900000-0x0000000060992000-memory.dmp

memory/2168-309-0x0000000000000000-mapping.dmp

memory/2168-325-0x0000000000E10000-0x0000000000E17000-memory.dmp

memory/2168-326-0x0000000000E00000-0x0000000000E0B000-memory.dmp

memory/1172-327-0x0000000000000000-mapping.dmp

memory/102068-328-0x0000000000400000-0x000000000058E000-memory.dmp

memory/1288-329-0x0000000000000000-mapping.dmp

memory/1172-330-0x0000000000730000-0x0000000000739000-memory.dmp

memory/1172-331-0x0000000000720000-0x000000000072F000-memory.dmp

memory/2268-332-0x0000000000000000-mapping.dmp

memory/5124-333-0x0000000000000000-mapping.dmp

memory/1008-334-0x0000000000000000-mapping.dmp

memory/2268-335-0x0000000000E10000-0x0000000000E15000-memory.dmp

memory/2268-336-0x0000000000E00000-0x0000000000E09000-memory.dmp

memory/5400-337-0x0000000000000000-mapping.dmp

memory/5512-338-0x0000000000000000-mapping.dmp

memory/5604-339-0x0000000000000000-mapping.dmp

memory/5512-340-0x0000000000D90000-0x0000000000D96000-memory.dmp

memory/5512-341-0x0000000000D80000-0x0000000000D8C000-memory.dmp

memory/5668-342-0x0000000000000000-mapping.dmp

memory/5668-343-0x0000000001120000-0x0000000001142000-memory.dmp

memory/5668-344-0x00000000010F0000-0x0000000001117000-memory.dmp

memory/5792-345-0x0000000000000000-mapping.dmp

memory/5904-346-0x0000000000000000-mapping.dmp

memory/5792-347-0x0000000000E10000-0x0000000000E15000-memory.dmp

memory/5792-348-0x0000000000E00000-0x0000000000E09000-memory.dmp

memory/5928-349-0x0000000000000000-mapping.dmp

memory/5928-350-0x0000000000350000-0x0000000000356000-memory.dmp

memory/5928-351-0x0000000000340000-0x000000000034B000-memory.dmp

memory/6016-352-0x0000000000000000-mapping.dmp

memory/6016-354-0x0000000000170000-0x000000000017D000-memory.dmp

memory/6016-353-0x0000000000180000-0x0000000000187000-memory.dmp

memory/6072-355-0x0000000000000000-mapping.dmp

memory/101628-356-0x0000000002DB9000-0x0000000002DCA000-memory.dmp

memory/6664-368-0x0000000000000000-mapping.dmp

memory/6748-369-0x0000000000000000-mapping.dmp

memory/6868-370-0x0000000000000000-mapping.dmp

memory/6948-371-0x0000000000000000-mapping.dmp

memory/7064-373-0x0000000000000000-mapping.dmp

memory/7124-374-0x0000000000000000-mapping.dmp

memory/8364-376-0x0000000000000000-mapping.dmp

memory/8364-377-0x0000000140000000-0x0000000140608000-memory.dmp

memory/8476-381-0x0000000000000000-mapping.dmp

memory/8644-384-0x0000000000000000-mapping.dmp

memory/8712-387-0x0000000000000000-mapping.dmp

memory/8764-388-0x0000000000000000-mapping.dmp

memory/8808-390-0x0000000000000000-mapping.dmp

memory/8840-392-0x0000000000000000-mapping.dmp

memory/8928-394-0x0000000000000000-mapping.dmp

memory/8960-395-0x0000000000000000-mapping.dmp

memory/9124-399-0x0000000000000000-mapping.dmp

memory/9164-401-0x0000000000000000-mapping.dmp

memory/9280-403-0x0000000000000000-mapping.dmp