Malware Analysis Report

2025-06-16 01:50

Sample ID 220910-l7x86adfaq
Target abd6cd3cfb180beacd03e0a97a2d7547.exe
SHA256 585a35f120f39562e9acba6c1dfbf18ff814cf4c59254499b75790665dc749e7
Tags
smokeloader backdoor trojan djvu redline socelars 1337 mario_new nam5 discovery evasion infostealer persistence ransomware spyware stealer upx vmprotect
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

585a35f120f39562e9acba6c1dfbf18ff814cf4c59254499b75790665dc749e7

Threat Level: Known bad

The file abd6cd3cfb180beacd03e0a97a2d7547.exe was found to be: Known bad.

Malicious Activity Summary

smokeloader backdoor trojan djvu redline socelars 1337 mario_new nam5 discovery evasion infostealer persistence ransomware spyware stealer upx vmprotect

Detected Djvu ransomware

Djvu Ransomware

RedLine payload

Process spawned unexpected child process

SmokeLoader

Socelars

Socelars payload

RedLine

Detects Smokeloader packer

UPX packed file

Executes dropped EXE

Modifies Windows Firewall

Downloads MZ/PE file

VMProtect packed file

Loads dropped DLL

Modifies file permissions

Reads user/profile data of web browsers

Checks computer location settings

Checks installed software on the system

Legitimate hosting services abused for malware hosting/C2

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Looks up external IP address via web service

Accesses 2FA software files, possible credential harvesting

Suspicious use of SetThreadContext

Drops file in Program Files directory

Program crash

Enumerates physical storage devices

Checks SCSI registry key(s)

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Checks processor information in registry

Suspicious use of FindShellTrayWindow

Suspicious behavior: MapViewOfSection

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Kills process with taskkill

Suspicious use of SendNotifyMessage

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Delays execution with timeout.exe

Suspicious behavior: GetForegroundWindowSpam

Enumerates system info in registry

Script User-Agent

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-09-10 10:11

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-09-10 10:11

Reported

2022-09-10 10:13

Platform

win7-20220812-en

Max time kernel

150s

Max time network

46s

Command Line

"C:\Users\Admin\AppData\Local\Temp\abd6cd3cfb180beacd03e0a97a2d7547.exe"

Signatures

Detects Smokeloader packer

Description Indicator Process Target
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\abd6cd3cfb180beacd03e0a97a2d7547.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\abd6cd3cfb180beacd03e0a97a2d7547.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\abd6cd3cfb180beacd03e0a97a2d7547.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\abd6cd3cfb180beacd03e0a97a2d7547.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abd6cd3cfb180beacd03e0a97a2d7547.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\abd6cd3cfb180beacd03e0a97a2d7547.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\abd6cd3cfb180beacd03e0a97a2d7547.exe

"C:\Users\Admin\AppData\Local\Temp\abd6cd3cfb180beacd03e0a97a2d7547.exe"

Network

N/A

Files

memory/1096-55-0x0000000075ED1000-0x0000000075ED3000-memory.dmp

memory/1096-56-0x0000000000230000-0x0000000000330000-memory.dmp

memory/1096-57-0x00000000003A0000-0x00000000003A9000-memory.dmp

memory/1096-58-0x0000000000400000-0x0000000000847000-memory.dmp

memory/1096-59-0x0000000000400000-0x0000000000847000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-09-10 10:11

Reported

2022-09-10 10:13

Platform

win10v2004-20220812-en

Max time kernel

124s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\abd6cd3cfb180beacd03e0a97a2d7547.exe"

Signatures

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects Smokeloader packer

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\rundll32.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\rundll32.exe

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Socelars

stealer socelars

Socelars payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\39EF.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\5808.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\9D4A.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\9D4A.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\1f89d5fb-82f5-4a13-a249-29227133e100\build2.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses 2FA software files, possible credential harvesting

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\3213a471-abe6-48ba-8aef-74acc03030b3\\9D4A.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\9D4A.exe N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\aieoplapobidheellikiicjfpamacpfd\background.html C:\Users\Admin\AppData\Local\Temp\2A7D.exe N/A
File created C:\Program Files\aieoplapobidheellikiicjfpamacpfd\icon.png C:\Users\Admin\AppData\Local\Temp\2A7D.exe N/A
File created C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\aes.js C:\Users\Admin\AppData\Local\Temp\2A7D.exe N/A
File created C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\background.js C:\Users\Admin\AppData\Local\Temp\2A7D.exe N/A
File created C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\mode-ecb.js C:\Users\Admin\AppData\Local\Temp\2A7D.exe N/A
File created C:\Program Files\aieoplapobidheellikiicjfpamacpfd\manifest.json C:\Users\Admin\AppData\Local\Temp\2A7D.exe N/A
File created C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\content.js C:\Users\Admin\AppData\Local\Temp\2A7D.exe N/A
File created C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\jquery-3.3.1.min.js C:\Users\Admin\AppData\Local\Temp\2A7D.exe N/A
File created C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\pad-nopadding.js C:\Users\Admin\AppData\Local\Temp\2A7D.exe N/A
File opened for modification C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\background.js C:\Users\Admin\AppData\Local\Temp\2A7D.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\abd6cd3cfb180beacd03e0a97a2d7547.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\abd6cd3cfb180beacd03e0a97a2d7547.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\E2D2.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\E2D2.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\E2D2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\abd6cd3cfb180beacd03e0a97a2d7547.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\1f89d5fb-82f5-4a13-a249-29227133e100\build2.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\1f89d5fb-82f5-4a13-a249-29227133e100\build2.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\abd6cd3cfb180beacd03e0a97a2d7547.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abd6cd3cfb180beacd03e0a97a2d7547.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\abd6cd3cfb180beacd03e0a97a2d7547.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\E2D2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5C87.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2A7D.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2A7D.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2A7D.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2A7D.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2A7D.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2A7D.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2A7D.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2A7D.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2A7D.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2A7D.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2A7D.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2A7D.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2A7D.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2A7D.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2A7D.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2A7D.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2A7D.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2A7D.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2A7D.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2A7D.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2A7D.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2A7D.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2A7D.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2A7D.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2A7D.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2A7D.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2A7D.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2A7D.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2A7D.exe N/A
Token: 31 N/A C:\Users\Admin\AppData\Local\Temp\2A7D.exe N/A
Token: 32 N/A C:\Users\Admin\AppData\Local\Temp\2A7D.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\2A7D.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\2A7D.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\2A7D.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2864 wrote to memory of 772 N/A N/A C:\Users\Admin\AppData\Local\Temp\5C87.exe
PID 2864 wrote to memory of 772 N/A N/A C:\Users\Admin\AppData\Local\Temp\5C87.exe
PID 2864 wrote to memory of 772 N/A N/A C:\Users\Admin\AppData\Local\Temp\5C87.exe
PID 2864 wrote to memory of 380 N/A N/A C:\Users\Admin\AppData\Local\Temp\9D4A.exe
PID 2864 wrote to memory of 380 N/A N/A C:\Users\Admin\AppData\Local\Temp\9D4A.exe
PID 2864 wrote to memory of 380 N/A N/A C:\Users\Admin\AppData\Local\Temp\9D4A.exe
PID 380 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\9D4A.exe C:\Users\Admin\AppData\Local\Temp\9D4A.exe
PID 380 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\9D4A.exe C:\Users\Admin\AppData\Local\Temp\9D4A.exe
PID 380 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\9D4A.exe C:\Users\Admin\AppData\Local\Temp\9D4A.exe
PID 380 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\9D4A.exe C:\Users\Admin\AppData\Local\Temp\9D4A.exe
PID 380 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\9D4A.exe C:\Users\Admin\AppData\Local\Temp\9D4A.exe
PID 380 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\9D4A.exe C:\Users\Admin\AppData\Local\Temp\9D4A.exe
PID 380 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\9D4A.exe C:\Users\Admin\AppData\Local\Temp\9D4A.exe
PID 380 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\9D4A.exe C:\Users\Admin\AppData\Local\Temp\9D4A.exe
PID 380 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\9D4A.exe C:\Users\Admin\AppData\Local\Temp\9D4A.exe
PID 380 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\9D4A.exe C:\Users\Admin\AppData\Local\Temp\9D4A.exe
PID 1368 wrote to memory of 4340 N/A C:\Users\Admin\AppData\Local\Temp\9D4A.exe C:\Windows\SysWOW64\icacls.exe
PID 1368 wrote to memory of 4340 N/A C:\Users\Admin\AppData\Local\Temp\9D4A.exe C:\Windows\SysWOW64\icacls.exe
PID 1368 wrote to memory of 4340 N/A C:\Users\Admin\AppData\Local\Temp\9D4A.exe C:\Windows\SysWOW64\icacls.exe
PID 1368 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\Temp\9D4A.exe C:\Users\Admin\AppData\Local\Temp\9D4A.exe
PID 1368 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\Temp\9D4A.exe C:\Users\Admin\AppData\Local\Temp\9D4A.exe
PID 1368 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\Temp\9D4A.exe C:\Users\Admin\AppData\Local\Temp\9D4A.exe
PID 2864 wrote to memory of 3604 N/A N/A C:\Users\Admin\AppData\Local\Temp\B7B9.exe
PID 2864 wrote to memory of 3604 N/A N/A C:\Users\Admin\AppData\Local\Temp\B7B9.exe
PID 2864 wrote to memory of 3604 N/A N/A C:\Users\Admin\AppData\Local\Temp\B7B9.exe
PID 4724 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\9D4A.exe C:\Users\Admin\AppData\Local\Temp\9D4A.exe
PID 4724 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\9D4A.exe C:\Users\Admin\AppData\Local\Temp\9D4A.exe
PID 4724 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\9D4A.exe C:\Users\Admin\AppData\Local\Temp\9D4A.exe
PID 4724 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\9D4A.exe C:\Users\Admin\AppData\Local\Temp\9D4A.exe
PID 4724 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\9D4A.exe C:\Users\Admin\AppData\Local\Temp\9D4A.exe
PID 4724 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\9D4A.exe C:\Users\Admin\AppData\Local\Temp\9D4A.exe
PID 4724 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\9D4A.exe C:\Users\Admin\AppData\Local\Temp\9D4A.exe
PID 4724 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\9D4A.exe C:\Users\Admin\AppData\Local\Temp\9D4A.exe
PID 4724 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\9D4A.exe C:\Users\Admin\AppData\Local\Temp\9D4A.exe
PID 4724 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\9D4A.exe C:\Users\Admin\AppData\Local\Temp\9D4A.exe
PID 1304 wrote to memory of 41736 N/A C:\Users\Admin\AppData\Local\Temp\9D4A.exe C:\Users\Admin\AppData\Local\1f89d5fb-82f5-4a13-a249-29227133e100\build2.exe
PID 1304 wrote to memory of 41736 N/A C:\Users\Admin\AppData\Local\Temp\9D4A.exe C:\Users\Admin\AppData\Local\1f89d5fb-82f5-4a13-a249-29227133e100\build2.exe
PID 1304 wrote to memory of 41736 N/A C:\Users\Admin\AppData\Local\Temp\9D4A.exe C:\Users\Admin\AppData\Local\1f89d5fb-82f5-4a13-a249-29227133e100\build2.exe
PID 3604 wrote to memory of 101036 N/A C:\Users\Admin\AppData\Local\Temp\B7B9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3604 wrote to memory of 101036 N/A C:\Users\Admin\AppData\Local\Temp\B7B9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3604 wrote to memory of 101036 N/A C:\Users\Admin\AppData\Local\Temp\B7B9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3604 wrote to memory of 101036 N/A C:\Users\Admin\AppData\Local\Temp\B7B9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3604 wrote to memory of 101036 N/A C:\Users\Admin\AppData\Local\Temp\B7B9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2864 wrote to memory of 101116 N/A N/A C:\Windows\system32\regsvr32.exe
PID 2864 wrote to memory of 101116 N/A N/A C:\Windows\system32\regsvr32.exe
PID 101116 wrote to memory of 101140 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 101116 wrote to memory of 101140 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 101116 wrote to memory of 101140 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 41736 wrote to memory of 101188 N/A C:\Users\Admin\AppData\Local\1f89d5fb-82f5-4a13-a249-29227133e100\build2.exe C:\Users\Admin\AppData\Local\1f89d5fb-82f5-4a13-a249-29227133e100\build2.exe
PID 41736 wrote to memory of 101188 N/A C:\Users\Admin\AppData\Local\1f89d5fb-82f5-4a13-a249-29227133e100\build2.exe C:\Users\Admin\AppData\Local\1f89d5fb-82f5-4a13-a249-29227133e100\build2.exe
PID 41736 wrote to memory of 101188 N/A C:\Users\Admin\AppData\Local\1f89d5fb-82f5-4a13-a249-29227133e100\build2.exe C:\Users\Admin\AppData\Local\1f89d5fb-82f5-4a13-a249-29227133e100\build2.exe
PID 41736 wrote to memory of 101188 N/A C:\Users\Admin\AppData\Local\1f89d5fb-82f5-4a13-a249-29227133e100\build2.exe C:\Users\Admin\AppData\Local\1f89d5fb-82f5-4a13-a249-29227133e100\build2.exe
PID 41736 wrote to memory of 101188 N/A C:\Users\Admin\AppData\Local\1f89d5fb-82f5-4a13-a249-29227133e100\build2.exe C:\Users\Admin\AppData\Local\1f89d5fb-82f5-4a13-a249-29227133e100\build2.exe
PID 41736 wrote to memory of 101188 N/A C:\Users\Admin\AppData\Local\1f89d5fb-82f5-4a13-a249-29227133e100\build2.exe C:\Users\Admin\AppData\Local\1f89d5fb-82f5-4a13-a249-29227133e100\build2.exe
PID 41736 wrote to memory of 101188 N/A C:\Users\Admin\AppData\Local\1f89d5fb-82f5-4a13-a249-29227133e100\build2.exe C:\Users\Admin\AppData\Local\1f89d5fb-82f5-4a13-a249-29227133e100\build2.exe
PID 41736 wrote to memory of 101188 N/A C:\Users\Admin\AppData\Local\1f89d5fb-82f5-4a13-a249-29227133e100\build2.exe C:\Users\Admin\AppData\Local\1f89d5fb-82f5-4a13-a249-29227133e100\build2.exe
PID 41736 wrote to memory of 101188 N/A C:\Users\Admin\AppData\Local\1f89d5fb-82f5-4a13-a249-29227133e100\build2.exe C:\Users\Admin\AppData\Local\1f89d5fb-82f5-4a13-a249-29227133e100\build2.exe
PID 2864 wrote to memory of 101276 N/A N/A C:\Users\Admin\AppData\Local\Temp\E2D2.exe
PID 2864 wrote to memory of 101276 N/A N/A C:\Users\Admin\AppData\Local\Temp\E2D2.exe
PID 2864 wrote to memory of 101276 N/A N/A C:\Users\Admin\AppData\Local\Temp\E2D2.exe
PID 2864 wrote to memory of 101048 N/A N/A C:\Users\Admin\AppData\Local\Temp\F6E8.exe
PID 2864 wrote to memory of 101048 N/A N/A C:\Users\Admin\AppData\Local\Temp\F6E8.exe
PID 2864 wrote to memory of 101048 N/A N/A C:\Users\Admin\AppData\Local\Temp\F6E8.exe
PID 101188 wrote to memory of 101068 N/A C:\Users\Admin\AppData\Local\1f89d5fb-82f5-4a13-a249-29227133e100\build2.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\abd6cd3cfb180beacd03e0a97a2d7547.exe

"C:\Users\Admin\AppData\Local\Temp\abd6cd3cfb180beacd03e0a97a2d7547.exe"

C:\Users\Admin\AppData\Local\Temp\5C87.exe

C:\Users\Admin\AppData\Local\Temp\5C87.exe

C:\Users\Admin\AppData\Local\Temp\9D4A.exe

C:\Users\Admin\AppData\Local\Temp\9D4A.exe

C:\Users\Admin\AppData\Local\Temp\9D4A.exe

C:\Users\Admin\AppData\Local\Temp\9D4A.exe

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\3213a471-abe6-48ba-8aef-74acc03030b3" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\9D4A.exe

"C:\Users\Admin\AppData\Local\Temp\9D4A.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 772 -ip 772

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 772 -s 1256

C:\Users\Admin\AppData\Local\Temp\B7B9.exe

C:\Users\Admin\AppData\Local\Temp\B7B9.exe

C:\Users\Admin\AppData\Local\Temp\9D4A.exe

"C:\Users\Admin\AppData\Local\Temp\9D4A.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\1f89d5fb-82f5-4a13-a249-29227133e100\build2.exe

"C:\Users\Admin\AppData\Local\1f89d5fb-82f5-4a13-a249-29227133e100\build2.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3604 -ip 3604

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\D208.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\D208.dll

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3604 -s 97596

C:\Users\Admin\AppData\Local\1f89d5fb-82f5-4a13-a249-29227133e100\build2.exe

"C:\Users\Admin\AppData\Local\1f89d5fb-82f5-4a13-a249-29227133e100\build2.exe"

C:\Users\Admin\AppData\Local\Temp\E2D2.exe

C:\Users\Admin\AppData\Local\Temp\E2D2.exe

C:\Users\Admin\AppData\Local\Temp\F6E8.exe

C:\Users\Admin\AppData\Local\Temp\F6E8.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c taskkill /im build2.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\1f89d5fb-82f5-4a13-a249-29227133e100\build2.exe" & del C:\PrograData\*.dll & exit

C:\Users\Admin\AppData\Local\Temp\699.exe

C:\Users\Admin\AppData\Local\Temp\699.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /im build2.exe /f

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 424 -p 101196 -ip 101196

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 101196 -s 424

C:\Windows\SysWOW64\timeout.exe

timeout /t 6

C:\Users\Admin\AppData\Local\Temp\2A7D.exe

C:\Users\Admin\AppData\Local\Temp\2A7D.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 101048 -ip 101048

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 101048 -s 340

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im chrome.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im chrome.exe

C:\Users\Admin\AppData\Local\Temp\39EF.exe

C:\Users\Admin\AppData\Local\Temp\39EF.exe

C:\Users\Admin\AppData\Local\Temp\39EF.exe

"C:\Users\Admin\AppData\Local\Temp\39EF.exe" -h

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4324 -ip 4324

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4324 -s 600

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Users\Admin\AppData\Local\Temp\4923.exe

C:\Users\Admin\AppData\Local\Temp\4923.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffddf9d4f50,0x7ffddf9d4f60,0x7ffddf9d4f70

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1656,1531021261056449252,18289088469865035416,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1692 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1656,1531021261056449252,18289088469865035416,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2016 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1656,1531021261056449252,18289088469865035416,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2276 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\5808.exe

C:\Users\Admin\AppData\Local\Temp\5808.exe

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,1531021261056449252,18289088469865035416,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2976 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,1531021261056449252,18289088469865035416,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2964 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,1531021261056449252,18289088469865035416,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3636 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,1531021261056449252,18289088469865035416,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3936 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\5808.exe

"C:\Users\Admin\AppData\Local\Temp\5808.exe" -h

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1656,1531021261056449252,18289088469865035416,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4664 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1656,1531021261056449252,18289088469865035416,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5108 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1656,1531021261056449252,18289088469865035416,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4944 /prefetch:8

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 5932 -ip 5932

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5932 -s 608

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon

C:\Users\Admin\AppData\Local\Temp\4923.exe

"C:\Users\Admin\AppData\Local\Temp\4923.exe"

C:\Users\Admin\AppData\Local\Temp\7064.exe

C:\Users\Admin\AppData\Local\Temp\7064.exe

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im chrome.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1656,1531021261056449252,18289088469865035416,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5512 /prefetch:8

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffddf3a4f50,0x7ffddf3a4f60,0x7ffddf3a4f70

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1764,17566677322920070410,7832343316799190540,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1824 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1764,17566677322920070410,7832343316799190540,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1776 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1764,17566677322920070410,7832343316799190540,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2428 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1764,17566677322920070410,7832343316799190540,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2928 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1764,17566677322920070410,7832343316799190540,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2924 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1764,17566677322920070410,7832343316799190540,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3500 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1764,17566677322920070410,7832343316799190540,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3892 /prefetch:1

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1764,17566677322920070410,7832343316799190540,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4788 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1764,17566677322920070410,7832343316799190540,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4960 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1764,17566677322920070410,7832343316799190540,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4956 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\A56F.exe

C:\Users\Admin\AppData\Local\Temp\A56F.exe

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 560 -p 7656 -ip 7656

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 7656 -s 424

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1764,17566677322920070410,7832343316799190540,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5536 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\AFE0.exe

C:\Users\Admin\AppData\Local\Temp\AFE0.exe

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Users\Admin\AppData\Local\Temp\B7D0.exe

C:\Users\Admin\AppData\Local\Temp\B7D0.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Users\Admin\AppData\Local\Temp\BBC9.exe

C:\Users\Admin\AppData\Local\Temp\BBC9.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\C659.exe

C:\Users\Admin\AppData\Local\Temp\C659.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

Network

Country Destination Domain Proto
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 8.8.8.8:53 monsutiur4.com udp
NL 185.237.206.60:80 monsutiur4.com tcp
IE 13.69.239.72:443 tcp
US 8.8.8.8:53 nusurionuy5ff.at udp
US 8.8.8.8:53 moroitomo4.net udp
US 8.8.8.8:53 susuerulianita1.net udp
US 8.8.8.8:53 cucumbetuturel4.com udp
US 8.8.8.8:53 nunuslushau.com udp
US 8.8.8.8:53 linislominyt11.at udp
KR 1.248.122.240:80 linislominyt11.at tcp
KR 1.248.122.240:80 linislominyt11.at tcp
KR 1.248.122.240:80 linislominyt11.at tcp
KR 1.248.122.240:80 linislominyt11.at tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
RU 78.153.144.84:27027 tcp
KR 1.248.122.240:80 linislominyt11.at tcp
KR 1.248.122.240:80 linislominyt11.at tcp
US 8.8.8.8:53 api.2ip.ua udp
NL 162.0.217.254:443 api.2ip.ua tcp
KR 1.248.122.240:80 linislominyt11.at tcp
NL 162.0.217.254:443 api.2ip.ua tcp
US 8.8.8.8:53 rgyui.top udp
US 8.8.8.8:53 acacaca.org udp
KR 222.236.49.123:80 acacaca.org tcp
RO 109.98.58.98:80 acacaca.org tcp
KR 1.248.122.240:80 linislominyt11.at tcp
KR 222.236.49.123:80 acacaca.org tcp
KR 1.248.122.240:80 linislominyt11.at tcp
RU 176.122.23.55:11768 tcp
KR 1.248.122.240:80 linislominyt11.at tcp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
RU 85.192.63.184:80 85.192.63.184 tcp
KR 1.248.122.240:80 linislominyt11.at tcp
KR 1.248.122.240:80 linislominyt11.at tcp
DE 116.202.179.139:80 116.202.179.139 tcp
KR 1.248.122.240:80 linislominyt11.at tcp
KR 1.248.122.240:80 linislominyt11.at tcp
US 8.8.8.8:53 edx.ajn322aa.com udp
US 104.21.90.234:443 edx.ajn322aa.com tcp
KR 1.248.122.240:80 linislominyt11.at tcp
KR 1.248.122.240:80 linislominyt11.at tcp
US 8.8.8.8:53 www.mp3infonice.top udp
DE 161.97.101.255:80 www.mp3infonice.top tcp
KR 1.248.122.240:80 linislominyt11.at tcp
US 8.8.8.8:53 www.icodeps.com udp
US 149.28.253.196:443 www.icodeps.com tcp
US 8.8.8.8:53 ocsp.trust-provider.cn udp
NL 47.246.48.208:80 ocsp.trust-provider.cn tcp
KR 1.248.122.240:80 linislominyt11.at tcp
US 8.8.8.8:53 iplogger.org udp
DE 148.251.234.83:443 iplogger.org tcp
US 8.8.8.8:53 i.xyzgamei.com udp
US 172.67.137.109:443 i.xyzgamei.com tcp
US 8.8.8.8:53 b.game2723.com udp
US 188.114.96.0:443 b.game2723.com tcp
KR 1.248.122.240:80 linislominyt11.at tcp
US 8.8.8.8:53 v.xyzgamev.com udp
US 172.67.188.70:443 v.xyzgamev.com tcp
KR 1.248.122.240:80 linislominyt11.at tcp
US 8.8.8.8:53 trustnero.com udp
US 172.67.128.245:443 trustnero.com tcp
US 8.8.8.8:53 fakermet.com udp
US 104.21.14.22:443 fakermet.com tcp
KR 1.248.122.240:80 linislominyt11.at tcp
KR 1.248.122.240:80 linislominyt11.at tcp
KR 1.248.122.240:80 linislominyt11.at tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 fergrt.s3.us-west-2.amazonaws.com udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 clients2.google.com udp
US 8.8.8.8:53 m.facebook.com udp
NL 172.217.168.238:443 clients2.google.com tcp
NL 142.251.36.45:443 accounts.google.com tcp
US 52.92.194.66:443 fergrt.s3.us-west-2.amazonaws.com tcp
ES 31.13.83.36:443 m.facebook.com tcp
US 52.92.194.66:443 fergrt.s3.us-west-2.amazonaws.com tcp
KR 1.248.122.240:80 linislominyt11.at tcp
US 8.8.8.8:53 edgedl.me.gvt1.com udp
US 34.104.35.123:80 edgedl.me.gvt1.com tcp
US 172.67.188.70:443 v.xyzgamev.com tcp
US 8.8.8.8:53 secure.facebook.com udp
ES 31.13.83.17:443 secure.facebook.com tcp
US 8.8.8.8:53 www.facebook.com udp
NL 157.240.247.35:443 www.facebook.com tcp
US 8.8.8.8:53 www.sadcsaheec.xyz udp
US 172.67.209.68:80 www.sadcsaheec.xyz tcp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:443 dns.google tcp
US 8.8.8.8:443 dns.google tcp
US 8.8.8.8:53 apis.google.com udp
NL 216.58.214.14:443 apis.google.com tcp
KR 1.248.122.240:80 linislominyt11.at tcp
US 149.28.253.196:443 www.icodeps.com tcp
US 8.8.8.8:443 dns.google udp
DE 148.251.234.83:443 iplogger.org tcp
KR 1.248.122.240:80 linislominyt11.at tcp
NL 172.217.168.238:443 clients2.google.com udp
US 172.67.209.68:80 www.sadcsaheec.xyz tcp
ES 31.13.83.36:443 m.facebook.com tcp
NL 142.251.36.45:443 accounts.google.com udp
US 34.104.35.123:80 edgedl.me.gvt1.com tcp
ES 31.13.83.17:443 secure.facebook.com tcp
US 8.8.8.8:53 www.facebook.com udp
NL 157.240.247.35:443 www.facebook.com tcp
US 8.8.8.8:53 ojinsei.com udp
RU 178.20.42.96:80 ojinsei.com tcp
RU 178.20.42.96:80 ojinsei.com tcp
RU 178.20.42.96:80 ojinsei.com tcp
RU 178.20.42.96:80 ojinsei.com tcp
RU 178.20.42.96:80 ojinsei.com tcp
RU 178.20.42.96:80 ojinsei.com tcp
RU 178.20.42.96:80 ojinsei.com tcp
RU 178.20.42.96:80 ojinsei.com tcp
RU 178.20.42.96:80 ojinsei.com tcp
US 8.8.8.8:443 dns.google tcp
US 8.8.8.8:443 dns.google tcp
RU 178.20.42.96:80 ojinsei.com tcp
RU 178.20.42.96:80 ojinsei.com tcp
US 8.8.8.8:53 github.com udp
US 140.82.112.4:443 github.com tcp
KR 1.248.122.240:80 linislominyt11.at tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
RU 178.20.42.96:80 ojinsei.com tcp
US 8.8.8.8:53 video-impressions.com udp
US 173.254.30.90:443 video-impressions.com tcp
KR 1.248.122.240:80 linislominyt11.at tcp
RU 178.20.42.96:80 ojinsei.com tcp
US 8.8.8.8:53 9dbe701f-2ac3-48da-8ddd-00d4d91e9610.uuid.dg2sz7pxs7llf2t25fsbutlvvrjij4pmojugn75cmxnvoshmju6dzcad.onion udp
RU 178.20.42.96:80 ojinsei.com tcp
US 8.8.8.8:443 dns.google udp
NL 216.58.214.3:443 tcp
RU 178.20.42.96:80 ojinsei.com tcp
RU 178.20.42.96:80 ojinsei.com tcp
RU 178.20.42.96:80 ojinsei.com tcp
RU 85.192.63.184:80 85.192.63.184 tcp
RU 178.20.42.96:80 ojinsei.com tcp
RU 178.20.42.96:80 ojinsei.com tcp
RU 178.20.42.96:80 ojinsei.com tcp
RU 78.153.144.6:2510 tcp
RU 178.20.42.96:80 ojinsei.com tcp
US 8.8.8.8:53 siasky.net udp
NL 89.248.174.227:443 siasky.net tcp

Files

memory/3888-132-0x0000000000AB8000-0x0000000000AC9000-memory.dmp

memory/3888-133-0x00000000009E0000-0x00000000009E9000-memory.dmp

memory/3888-134-0x0000000000400000-0x0000000000847000-memory.dmp

memory/3888-135-0x0000000000400000-0x0000000000847000-memory.dmp

memory/772-136-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\5C87.exe

MD5 7ee26071eccd624c58596bb7e356c8c3
SHA1 2c61201ce36e236c30c350bfae82fa74d21c89cb
SHA256 69fde9e6449ac4f800f47188a10e04db056c0b570876b254c93d3a8d94d2016b
SHA512 7cd53f55077e02d2982c15963da8ad0ccb254063196c21a8cc0803f474a86ddf5e8ba48c4d6b8f74020074b76319fde082fcc12bedd7c69e75e3597f2ec5f562

C:\Users\Admin\AppData\Local\Temp\5C87.exe

MD5 7ee26071eccd624c58596bb7e356c8c3
SHA1 2c61201ce36e236c30c350bfae82fa74d21c89cb
SHA256 69fde9e6449ac4f800f47188a10e04db056c0b570876b254c93d3a8d94d2016b
SHA512 7cd53f55077e02d2982c15963da8ad0ccb254063196c21a8cc0803f474a86ddf5e8ba48c4d6b8f74020074b76319fde082fcc12bedd7c69e75e3597f2ec5f562

memory/772-139-0x0000000000B49000-0x0000000000B7A000-memory.dmp

memory/772-140-0x00000000009B0000-0x00000000009EE000-memory.dmp

memory/772-141-0x0000000000400000-0x000000000086C000-memory.dmp

memory/772-142-0x00000000050D0000-0x0000000005674000-memory.dmp

memory/772-143-0x0000000004F80000-0x0000000005012000-memory.dmp

memory/772-144-0x00000000058B0000-0x0000000005EC8000-memory.dmp

memory/772-145-0x00000000056D0000-0x00000000057DA000-memory.dmp

memory/772-146-0x0000000005800000-0x0000000005812000-memory.dmp

memory/772-147-0x0000000005820000-0x000000000585C000-memory.dmp

memory/772-148-0x0000000000B49000-0x0000000000B7A000-memory.dmp

memory/772-149-0x0000000006140000-0x00000000061A6000-memory.dmp

memory/380-150-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\9D4A.exe

MD5 63fbba2c86860c166b25c7849532c0e1
SHA1 32446a756c0cbf25d358ed5a5285e6588b1fde3e
SHA256 fe84604ed272e27b4962752b90be7b12eaf3f056b86aa1f8b05ddf75297b59aa
SHA512 a796874aeb58336591f1120932db96152fb05fac55cbe07855c669cf739f18d656ffb02180fe40c6f706070840ba1e5d13c05d37bd547cc87d87f70c9bd10063

C:\Users\Admin\AppData\Local\Temp\9D4A.exe

MD5 63fbba2c86860c166b25c7849532c0e1
SHA1 32446a756c0cbf25d358ed5a5285e6588b1fde3e
SHA256 fe84604ed272e27b4962752b90be7b12eaf3f056b86aa1f8b05ddf75297b59aa
SHA512 a796874aeb58336591f1120932db96152fb05fac55cbe07855c669cf739f18d656ffb02180fe40c6f706070840ba1e5d13c05d37bd547cc87d87f70c9bd10063

memory/380-153-0x000000000488C000-0x000000000491E000-memory.dmp

memory/380-155-0x0000000004920000-0x0000000004A3B000-memory.dmp

memory/1368-156-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1368-154-0x0000000000000000-mapping.dmp

memory/1368-158-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9D4A.exe

MD5 63fbba2c86860c166b25c7849532c0e1
SHA1 32446a756c0cbf25d358ed5a5285e6588b1fde3e
SHA256 fe84604ed272e27b4962752b90be7b12eaf3f056b86aa1f8b05ddf75297b59aa
SHA512 a796874aeb58336591f1120932db96152fb05fac55cbe07855c669cf739f18d656ffb02180fe40c6f706070840ba1e5d13c05d37bd547cc87d87f70c9bd10063

memory/1368-159-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4340-160-0x0000000000000000-mapping.dmp

memory/1368-161-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\3213a471-abe6-48ba-8aef-74acc03030b3\9D4A.exe

MD5 63fbba2c86860c166b25c7849532c0e1
SHA1 32446a756c0cbf25d358ed5a5285e6588b1fde3e
SHA256 fe84604ed272e27b4962752b90be7b12eaf3f056b86aa1f8b05ddf75297b59aa
SHA512 a796874aeb58336591f1120932db96152fb05fac55cbe07855c669cf739f18d656ffb02180fe40c6f706070840ba1e5d13c05d37bd547cc87d87f70c9bd10063

memory/772-163-0x0000000006A70000-0x0000000006C32000-memory.dmp

memory/4724-164-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\9D4A.exe

MD5 63fbba2c86860c166b25c7849532c0e1
SHA1 32446a756c0cbf25d358ed5a5285e6588b1fde3e
SHA256 fe84604ed272e27b4962752b90be7b12eaf3f056b86aa1f8b05ddf75297b59aa
SHA512 a796874aeb58336591f1120932db96152fb05fac55cbe07855c669cf739f18d656ffb02180fe40c6f706070840ba1e5d13c05d37bd547cc87d87f70c9bd10063

memory/772-166-0x0000000006C90000-0x00000000071BC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\B7B9.exe

MD5 e23bcbf0e2d0e527c3ded13c38529e45
SHA1 0743b3295b0b51532541531626884dd39a1caffb
SHA256 1b6e45ac04753507e206951ec78dad28671859ae9de7963799cfb9ddb6715bec
SHA512 c4f5e108f89906c3ebdadf2d147766c34701d88bc858df987138a030399c0760ae94ad8d05576d998dff81b78421a1daa5d911b9c66a50d9557c54cd39dde419

memory/3604-167-0x0000000000000000-mapping.dmp

memory/1304-169-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\9D4A.exe

MD5 63fbba2c86860c166b25c7849532c0e1
SHA1 32446a756c0cbf25d358ed5a5285e6588b1fde3e
SHA256 fe84604ed272e27b4962752b90be7b12eaf3f056b86aa1f8b05ddf75297b59aa
SHA512 a796874aeb58336591f1120932db96152fb05fac55cbe07855c669cf739f18d656ffb02180fe40c6f706070840ba1e5d13c05d37bd547cc87d87f70c9bd10063

memory/1304-172-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4724-174-0x0000000002CB9000-0x0000000002D4B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\B7B9.exe

MD5 e23bcbf0e2d0e527c3ded13c38529e45
SHA1 0743b3295b0b51532541531626884dd39a1caffb
SHA256 1b6e45ac04753507e206951ec78dad28671859ae9de7963799cfb9ddb6715bec
SHA512 c4f5e108f89906c3ebdadf2d147766c34701d88bc858df987138a030399c0760ae94ad8d05576d998dff81b78421a1daa5d911b9c66a50d9557c54cd39dde419

memory/1304-175-0x0000000000400000-0x0000000000537000-memory.dmp

memory/772-177-0x0000000000B49000-0x0000000000B7A000-memory.dmp

memory/772-178-0x0000000000400000-0x000000000086C000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5 215064dd8b4566627489319b46e9ca43
SHA1 7fa698eef5f02a961b5862df135d7ebfd8a12292
SHA256 390f76fdb79029603900524df2f0fbfd05bf18a3bbc74b9b05b2a6dc5938393c
SHA512 2a5b12b41d728ce30f1712d23226bbefe73111b786156b97126d6497ef234e78feaf6db08c7412eaa336c869b93ab239cd46b33cc31ff2c8497214cba5927753

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5 5863a7725c7ae915251d29c1bc8d5aee
SHA1 b894385b955b9892f4bb6bee7f8bd0baaa75fa64
SHA256 a928569e47f0837ea32a3990773c3d66330c8bd44d8142a742530be906c0f32e
SHA512 e98f5424a023fc7afe4ee9b74e707696834757b06f3472de163b9020d3e2b4eeed55564f6899e04ae4f216e116980ae3151538067edd20e8b14965be257de0ed

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 a6a0160f7dee79a316edde54d910ebaa
SHA1 9b374842b8954e8b27a06f22f1c0de15ea768c31
SHA256 f3646358e7a0d83e1140296fb384dc20e38a165f8f086cf240ace49e27e5b7c0
SHA512 1510a5ac8bb5d3f7a3be3397ef5266861df92bb72d013d8f9432dae8f4310d7d494e67f6b49b712519fb96ef085eb1e233eb8bd4e42bfee10faf0f6da64e4b98

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 9f716a75d02e080b65f4b0f744a2e4c0
SHA1 f4b339e0a19fdb19aa6d552b26062bd2eecfa255
SHA256 1a02c58fc7113e32eea9bc0a38f18eadcbb98ce2ed7ccd99cb35d4053f0acdbe
SHA512 79dd86eefaf3d26f1a49908c37b4d53bfa66d38cde98a5094421294b65298dac4b58fe813ed539f1b53e8e2055a9bb552a07836bef712416c16ab0430e85c9f4

memory/1304-179-0x0000000000400000-0x0000000000537000-memory.dmp

memory/41736-184-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\1f89d5fb-82f5-4a13-a249-29227133e100\build2.exe

MD5 8d7db6982df46c3b0f0cc879d892c08a
SHA1 64e3d7ab4793aeb05d18a82159c579e05c45fd71
SHA256 116e15e94d70dde65f91f155580bd9b34ff1956b9ebe1a53b6bce912b281c1f6
SHA512 0eeb242e6e1356a2a9e3183f12439ef36fac40e27ac8c0df5f591c7b3c1324145627c92c3fee15aedee2c1e8cc3b966152af73a33196166c2c1bfbbd979bdb5b

C:\Users\Admin\AppData\Local\1f89d5fb-82f5-4a13-a249-29227133e100\build2.exe

MD5 8d7db6982df46c3b0f0cc879d892c08a
SHA1 64e3d7ab4793aeb05d18a82159c579e05c45fd71
SHA256 116e15e94d70dde65f91f155580bd9b34ff1956b9ebe1a53b6bce912b281c1f6
SHA512 0eeb242e6e1356a2a9e3183f12439ef36fac40e27ac8c0df5f591c7b3c1324145627c92c3fee15aedee2c1e8cc3b966152af73a33196166c2c1bfbbd979bdb5b

memory/101036-187-0x0000000000000000-mapping.dmp

memory/101036-188-0x0000000000400000-0x0000000000460000-memory.dmp

memory/101116-193-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\D208.dll

MD5 2c513af5b3e762d708be60c0bb936333
SHA1 d300c1bef53f0cc1ce802266d42fc356c75ee76c
SHA256 ea9301b4d43088996a7b0491fec17bd1ab6e3c5d7e0bd012baffb060d0c9593f
SHA512 91e639afd5d4c2bbccbff97b4b5da78d50f84ef60bce88507e05bda7aa50413184ee6279652053311a72b7e45ba8e8a1e378b2d96c3acfb8a37cbaeae3d45fb1

memory/101140-195-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\D208.dll

MD5 2c513af5b3e762d708be60c0bb936333
SHA1 d300c1bef53f0cc1ce802266d42fc356c75ee76c
SHA256 ea9301b4d43088996a7b0491fec17bd1ab6e3c5d7e0bd012baffb060d0c9593f
SHA512 91e639afd5d4c2bbccbff97b4b5da78d50f84ef60bce88507e05bda7aa50413184ee6279652053311a72b7e45ba8e8a1e378b2d96c3acfb8a37cbaeae3d45fb1

memory/41736-197-0x0000000000B1A000-0x0000000000B46000-memory.dmp

memory/101188-199-0x0000000000000000-mapping.dmp

memory/41736-198-0x00000000024F0000-0x0000000002539000-memory.dmp

C:\Users\Admin\AppData\Local\1f89d5fb-82f5-4a13-a249-29227133e100\build2.exe

MD5 8d7db6982df46c3b0f0cc879d892c08a
SHA1 64e3d7ab4793aeb05d18a82159c579e05c45fd71
SHA256 116e15e94d70dde65f91f155580bd9b34ff1956b9ebe1a53b6bce912b281c1f6
SHA512 0eeb242e6e1356a2a9e3183f12439ef36fac40e27ac8c0df5f591c7b3c1324145627c92c3fee15aedee2c1e8cc3b966152af73a33196166c2c1bfbbd979bdb5b

memory/101188-202-0x0000000000400000-0x000000000045D000-memory.dmp

memory/101188-200-0x0000000000400000-0x000000000045D000-memory.dmp

memory/41736-204-0x0000000000B1A000-0x0000000000B46000-memory.dmp

memory/101188-203-0x0000000000400000-0x000000000045D000-memory.dmp

memory/101188-205-0x0000000000400000-0x000000000045D000-memory.dmp

memory/101276-206-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\E2D2.exe

MD5 238b7fa30554c863c35b4cd002b5f317
SHA1 b8ceb57706f834e5c261ad7c0da3e5e8df6a04cc
SHA256 d5b7a3f86c10c1cd99b32cf871c0ddb8d1fd2c3296c0094e263f162079c94b9b
SHA512 e263794cf7c1dfa5fe2f9acfc3399fb0b82a8466f7e36402776dde6c25035226dfcde71557f822b7b723589e2caa236cc5471375e66e3b4bf6b01802fc5c8e2d

C:\Users\Admin\AppData\Local\Temp\E2D2.exe

MD5 238b7fa30554c863c35b4cd002b5f317
SHA1 b8ceb57706f834e5c261ad7c0da3e5e8df6a04cc
SHA256 d5b7a3f86c10c1cd99b32cf871c0ddb8d1fd2c3296c0094e263f162079c94b9b
SHA512 e263794cf7c1dfa5fe2f9acfc3399fb0b82a8466f7e36402776dde6c25035226dfcde71557f822b7b723589e2caa236cc5471375e66e3b4bf6b01802fc5c8e2d

memory/1304-209-0x0000000000400000-0x0000000000537000-memory.dmp

C:\ProgramData\sqlite3.dll

MD5 e477a96c8f2b18d6b5c27bde49c990bf
SHA1 e980c9bf41330d1e5bd04556db4646a0210f7409
SHA256 16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660
SHA512 335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c

C:\ProgramData\mozglue.dll

MD5 8f73c08a9660691143661bf7332c3c27
SHA1 37fa65dd737c50fda710fdbde89e51374d0c204a
SHA256 3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd
SHA512 0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

C:\ProgramData\nss3.dll

MD5 bfac4e3c5908856ba17d41edcd455a51
SHA1 8eec7e888767aa9e4cca8ff246eb2aacb9170428
SHA256 e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78
SHA512 2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

memory/101048-213-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\F6E8.exe

MD5 a830962826c2c7354000589461c5dc57
SHA1 b1a9aabeffbb859ec6f7aad5c7904df0cb0d43ee
SHA256 9f4905b20e5848ee9d06c9cc5713152e7ea407627ecab1d25a50b42156a30c15
SHA512 13182cb55d16adb0998b1b5b818f885fd9b5959484aca55776de8ac37787775b3fac118e616cebd0d28dc89f2cfa106d3fa09a3551dc9470829f1c058fcc51d4

C:\Users\Admin\AppData\Local\Temp\F6E8.exe

MD5 a830962826c2c7354000589461c5dc57
SHA1 b1a9aabeffbb859ec6f7aad5c7904df0cb0d43ee
SHA256 9f4905b20e5848ee9d06c9cc5713152e7ea407627ecab1d25a50b42156a30c15
SHA512 13182cb55d16adb0998b1b5b818f885fd9b5959484aca55776de8ac37787775b3fac118e616cebd0d28dc89f2cfa106d3fa09a3551dc9470829f1c058fcc51d4

memory/101068-216-0x0000000000000000-mapping.dmp

memory/101188-217-0x0000000000400000-0x000000000045D000-memory.dmp

memory/101140-218-0x0000000002E90000-0x0000000002F98000-memory.dmp

memory/101140-219-0x00000000030B0000-0x00000000031B9000-memory.dmp

memory/101196-220-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\699.exe

MD5 5a5818de3886c0ffaa7071e70d003eb6
SHA1 c4e62f5c1b674a80fdd48b6fe37e3e59607a7f2e
SHA256 4fac63cb799cc9da04b4332602ad9b4538dd2429ffcf2f8065ec598b2c6aa6a2
SHA512 07ba01218477f3cacd9846b16d9dc742b0e8b4afdca43aba3696b742063316d7fe0c15504c8ebbee20f3f4b42532960698308b45e5d2b55fcc536af28522b8ca

C:\Users\Admin\AppData\Local\Temp\699.exe

MD5 5a5818de3886c0ffaa7071e70d003eb6
SHA1 c4e62f5c1b674a80fdd48b6fe37e3e59607a7f2e
SHA256 4fac63cb799cc9da04b4332602ad9b4538dd2429ffcf2f8065ec598b2c6aa6a2
SHA512 07ba01218477f3cacd9846b16d9dc742b0e8b4afdca43aba3696b742063316d7fe0c15504c8ebbee20f3f4b42532960698308b45e5d2b55fcc536af28522b8ca

memory/101196-223-0x0000000140000000-0x0000000140608000-memory.dmp

memory/101320-226-0x0000000000000000-mapping.dmp

memory/101044-228-0x0000000000000000-mapping.dmp

memory/101276-229-0x0000000000ADD000-0x0000000000AED000-memory.dmp

memory/101276-230-0x0000000000930000-0x0000000000939000-memory.dmp

memory/101276-231-0x0000000000400000-0x00000000007F0000-memory.dmp

memory/101324-232-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\2A7D.exe

MD5 9e9e7ad2a575a1ee322b618cb9cfdf05
SHA1 42dba5e712f382a684deb20ededef154c74b24bc
SHA256 1a90eaf03ec44e61a6ee97be6b8757cc12b9d0a5c2904fa3652d651a92bbd6f1
SHA512 0c48cc0988b1153d5442a0409911be9dbee1db5b2ea1d3f12847b12a4e70eb9416600ee079eac58d0c3ac628d388c6037574278f69d0e8e69f7c9f24a127bc5e

C:\Users\Admin\AppData\Local\Temp\2A7D.exe

MD5 9e9e7ad2a575a1ee322b618cb9cfdf05
SHA1 42dba5e712f382a684deb20ededef154c74b24bc
SHA256 1a90eaf03ec44e61a6ee97be6b8757cc12b9d0a5c2904fa3652d651a92bbd6f1
SHA512 0c48cc0988b1153d5442a0409911be9dbee1db5b2ea1d3f12847b12a4e70eb9416600ee079eac58d0c3ac628d388c6037574278f69d0e8e69f7c9f24a127bc5e

memory/101048-235-0x000000000095D000-0x000000000096D000-memory.dmp

memory/101048-236-0x0000000000400000-0x00000000007EE000-memory.dmp

memory/101324-237-0x0000000000400000-0x000000000058E000-memory.dmp

memory/101276-238-0x0000000000400000-0x00000000007F0000-memory.dmp

memory/101176-239-0x0000000000000000-mapping.dmp

memory/3932-240-0x0000000000000000-mapping.dmp

memory/101140-241-0x00000000031C0000-0x000000000327F000-memory.dmp

memory/832-242-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\39EF.exe

MD5 2f60ef19334491b0800f818fe87c42f9
SHA1 a54541d84ffdd10c71053a4da5d2635129c1a5fa
SHA256 2b29136f3622d331c86855ab5298b22a996d7f894bd45c4d4a61a9460dfe2095
SHA512 97459e126e789b9425e8c6ea4afbc1f61732f98bad1539af6455e7154c72affd2b5ee2a6ad258a0da0fd19fd6b332c797be06aa2a757c0df90eed4f4426d5fe4

C:\Users\Admin\AppData\Local\Temp\39EF.exe

MD5 2f60ef19334491b0800f818fe87c42f9
SHA1 a54541d84ffdd10c71053a4da5d2635129c1a5fa
SHA256 2b29136f3622d331c86855ab5298b22a996d7f894bd45c4d4a61a9460dfe2095
SHA512 97459e126e789b9425e8c6ea4afbc1f61732f98bad1539af6455e7154c72affd2b5ee2a6ad258a0da0fd19fd6b332c797be06aa2a757c0df90eed4f4426d5fe4

memory/101140-246-0x0000000003280000-0x0000000003329000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\39EF.exe

MD5 2f60ef19334491b0800f818fe87c42f9
SHA1 a54541d84ffdd10c71053a4da5d2635129c1a5fa
SHA256 2b29136f3622d331c86855ab5298b22a996d7f894bd45c4d4a61a9460dfe2095
SHA512 97459e126e789b9425e8c6ea4afbc1f61732f98bad1539af6455e7154c72affd2b5ee2a6ad258a0da0fd19fd6b332c797be06aa2a757c0df90eed4f4426d5fe4

memory/2092-245-0x0000000000000000-mapping.dmp

memory/101140-250-0x00000000030B0000-0x00000000031B9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\db.dll

MD5 4d11bd6f3172584b3fda0e9efcaf0ddb
SHA1 0581c7f087f6538a1b6d4f05d928c1df24236944
SHA256 73314490c80e5eb09f586e12c1f035c44f11aeaa41d2f4b08aca476132578930
SHA512 6a023496e7ee03c2ff8e3ba445c7d7d5bfe6a1e1e1bae5c17dcf41e78ede84a166966579bf8cc7be7450d2516f869713907775e863670b10eb60c092492d2d04

memory/4324-252-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\db.dll

MD5 4d11bd6f3172584b3fda0e9efcaf0ddb
SHA1 0581c7f087f6538a1b6d4f05d928c1df24236944
SHA256 73314490c80e5eb09f586e12c1f035c44f11aeaa41d2f4b08aca476132578930
SHA512 6a023496e7ee03c2ff8e3ba445c7d7d5bfe6a1e1e1bae5c17dcf41e78ede84a166966579bf8cc7be7450d2516f869713907775e863670b10eb60c092492d2d04

C:\Users\Admin\AppData\Local\Temp\db.dat

MD5 2a03e19d5af7606e8e9a5c86a5a78880
SHA1 93945d1e473713d83316aaa9a297a417fb302db7
SHA256 15dea69e1ef7f927cdf56b7b6a31189b825b0cef06eeca4811006e7bf9d02c9a
SHA512 f263945af96cb0040d521832038862bfa05f4c9efd0eda0ae511dc1ab0ced179e0e64a3054de42bdc159db2520ff45f2b56ac08a7ac59bd01b74bbdf4b013f93

C:\Users\Admin\AppData\Local\Temp\4923.exe

MD5 f99d573625e45fc9d02bd27d30aa5839
SHA1 e12a9683a34b4e3d06d4f6d07851fa606a2a4556
SHA256 14d138ed08a4f1c0850a93312cec9258bc5a0e8942b57a582e47c258b91cfac6
SHA512 84b39b79549cf9d8b9e23c6c68f39f4a2453cd9322edf29c07534e3ae30a4524df937564a9c51c08f249be691aa97dca3a03e6f3677d6a3256d5e89b9293924d

C:\Users\Admin\AppData\Local\Temp\4923.exe

MD5 f99d573625e45fc9d02bd27d30aa5839
SHA1 e12a9683a34b4e3d06d4f6d07851fa606a2a4556
SHA256 14d138ed08a4f1c0850a93312cec9258bc5a0e8942b57a582e47c258b91cfac6
SHA512 84b39b79549cf9d8b9e23c6c68f39f4a2453cd9322edf29c07534e3ae30a4524df937564a9c51c08f249be691aa97dca3a03e6f3677d6a3256d5e89b9293924d

memory/1056-255-0x0000000000000000-mapping.dmp

memory/101324-258-0x0000000000400000-0x000000000058E000-memory.dmp

\??\pipe\crashpad_3048_DOGHWFSMIXJBEFPY

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

MD5 e53b74bd9c08032a42f6d5470c931c26
SHA1 be56bcde5a9827bf42e9c06a5901d1b65261db69
SHA256 eaf58d0e77a8f4bed10e033c973864759caf0318b6516847091c11729bf1cc5a
SHA512 b9704349c1f66e7269aba0a39a2d9253bd68c4d875160f7c3824723aef1067fd205280d071756dc5c2ba30fa11962d01582e2d2407f30e3b8369a443b4eb8d56

memory/5064-261-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\5808.exe

MD5 2f60ef19334491b0800f818fe87c42f9
SHA1 a54541d84ffdd10c71053a4da5d2635129c1a5fa
SHA256 2b29136f3622d331c86855ab5298b22a996d7f894bd45c4d4a61a9460dfe2095
SHA512 97459e126e789b9425e8c6ea4afbc1f61732f98bad1539af6455e7154c72affd2b5ee2a6ad258a0da0fd19fd6b332c797be06aa2a757c0df90eed4f4426d5fe4

C:\Program Files\aieoplapobidheellikiicjfpamacpfd\icon.png

MD5 c8d8c174df68910527edabe6b5278f06
SHA1 8ac53b3605fea693b59027b9b471202d150f266f
SHA256 9434dd7008059a60d6d5ced8c8a63ab5cae407e7152da98ca4dda408510f08f5
SHA512 d439e5124399d1901934319535b7156c0ca8d76b5aa4ddf1dd0b598d43582f6d23c16f96be74d3cd5fe764396da55ca51811d08695f356f12f7a8a71bcc7e45c

C:\Program Files\aieoplapobidheellikiicjfpamacpfd\manifest.json

MD5 6da6b303170ccfdca9d9e75abbfb59f3
SHA1 1a8070080f50a303f73eba253ba49c1e6d400df6
SHA256 66f5620e3bfe4692b14f62baad60e3269327327565ff8b2438e98ce8ed021333
SHA512 872957b63e8a0d10791877e5d204022c08c8e8101807d7ebe6fd537d812ad09e14d8555ccf53dc00525a22c02773aa45b8fa643c05247fb0ce6012382855a89a

C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\content.js

MD5 f79618c53614380c5fdc545699afe890
SHA1 7804a4621cd9405b6def471f3ebedb07fb17e90a
SHA256 f3f30c5c271f80b0a3a329b11d8e72eb404d0c0dc9c66fa162ca97ccaa1e963c
SHA512 c4e0c4df6ac92351591859a7c4358b3dcd342e00051bf561e68e3fcc2c94fdd8d14bd0a042d88dca33f6c7e952938786378d804f56e84b4eab99e2a5fee96a4c

C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\jquery-3.3.1.min.js

MD5 a09e13ee94d51c524b7e2a728c7d4039
SHA1 0dc32db4aa9c5f03f3b38c47d883dbd4fed13aae
SHA256 160a426ff2894252cd7cebbdd6d6b7da8fcd319c65b70468f10b6690c45d02ef
SHA512 f8da8f95b6ed33542a88af19028e18ae3d9ce25350a06bfc3fbf433ed2b38fefa5e639cddfdac703fc6caa7f3313d974b92a3168276b3a016ceb28f27db0714a

C:\Users\Admin\AppData\Local\Temp\5808.exe

MD5 2f60ef19334491b0800f818fe87c42f9
SHA1 a54541d84ffdd10c71053a4da5d2635129c1a5fa
SHA256 2b29136f3622d331c86855ab5298b22a996d7f894bd45c4d4a61a9460dfe2095
SHA512 97459e126e789b9425e8c6ea4afbc1f61732f98bad1539af6455e7154c72affd2b5ee2a6ad258a0da0fd19fd6b332c797be06aa2a757c0df90eed4f4426d5fe4

memory/1056-268-0x0000000004C12000-0x0000000004FFB000-memory.dmp

memory/1056-269-0x0000000005000000-0x0000000005876000-memory.dmp

C:\Program Files\aieoplapobidheellikiicjfpamacpfd\background.html

MD5 9ffe618d587a0685d80e9f8bb7d89d39
SHA1 8e9cae42c911027aafae56f9b1a16eb8dd7a739c
SHA256 a1064146f622fe68b94cd65a0e8f273b583449fbacfd6fd75fec1eaaf2ec8d6e
SHA512 a4e1f53d1e3bf0ff6893f188a510c6b3da37b99b52ddd560d4c90226cb14de6c9e311ee0a93192b1a26db2d76382eb2350dc30ab9db7cbd9ca0a80a507ea1a12

C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\aes.js

MD5 4ff108e4584780dce15d610c142c3e62
SHA1 77e4519962e2f6a9fc93342137dbb31c33b76b04
SHA256 fc7e184beeda61bf6427938a84560f52348976bb55e807b224eb53930e97ef6a
SHA512 d6eee0fc02205a3422c16ad120cad8d871563d8fcd4bde924654eac5a37026726328f9a47240cf89ed6c9e93ba5f89c833e84e65eee7db2b4d7d1b4240deaef2

memory/5492-272-0x0000000000000000-mapping.dmp

C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\background.js

MD5 a2d069df95a2cb430b5d6489264cc7c8
SHA1 def7d8e753fbaa589e47e6acfe70cf6091bdaf54
SHA256 f6e2cb76ea51e25a1e8afe74bc47adcc24c66869d1f04c8943f4e8cf438fabd1
SHA512 6dd8cc8a36715b03bd3c0de36f52ae1544b98524d38d040d0f6b0bbbf401aac67cce4952a2a3b76bb53ce7083ac3b34a7e25a0b2ed4a042e28101cca5605e6ea

C:\Users\Admin\AppData\Local\Temp\5808.exe

MD5 2f60ef19334491b0800f818fe87c42f9
SHA1 a54541d84ffdd10c71053a4da5d2635129c1a5fa
SHA256 2b29136f3622d331c86855ab5298b22a996d7f894bd45c4d4a61a9460dfe2095
SHA512 97459e126e789b9425e8c6ea4afbc1f61732f98bad1539af6455e7154c72affd2b5ee2a6ad258a0da0fd19fd6b332c797be06aa2a757c0df90eed4f4426d5fe4

C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\pad-nopadding.js

MD5 0f26002ee3b4b4440e5949a969ea7503
SHA1 31fc518828fe4894e8077ec5686dce7b1ed281d7
SHA256 282308ebc3702c44129438f8299839ca4d392a0a09fdf0737f08ef1e4aff937d
SHA512 4290a1aee5601fcbf1eb2beec9b4924c30cd218e94ae099b87ba72c9a4fa077e39d218fc723b8465d259028a6961cc07c0cd6896aa2f67e83f833ca023a80b11

C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\mode-ecb.js

MD5 23231681d1c6f85fa32e725d6d63b19b
SHA1 f69315530b49ac743b0e012652a3a5efaed94f17
SHA256 03164b1ac43853fecdbf988ce900016fb174cf65b03e41c0a9a7bf3a95e8c26a
SHA512 36860113871707a08401f29ab2828545932e57a4ae99e727d8ca2a9f85518d3db3a4e5e4d46ac2b6ba09494fa9727c033d77c36c4bdc376ae048541222724bc2

memory/1056-277-0x0000000000400000-0x0000000002F57000-memory.dmp

memory/5932-279-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\db.dll

MD5 4d11bd6f3172584b3fda0e9efcaf0ddb
SHA1 0581c7f087f6538a1b6d4f05d928c1df24236944
SHA256 73314490c80e5eb09f586e12c1f035c44f11aeaa41d2f4b08aca476132578930
SHA512 6a023496e7ee03c2ff8e3ba445c7d7d5bfe6a1e1e1bae5c17dcf41e78ede84a166966579bf8cc7be7450d2516f869713907775e863670b10eb60c092492d2d04

C:\Users\Admin\AppData\Local\Temp\db.dll

MD5 4d11bd6f3172584b3fda0e9efcaf0ddb
SHA1 0581c7f087f6538a1b6d4f05d928c1df24236944
SHA256 73314490c80e5eb09f586e12c1f035c44f11aeaa41d2f4b08aca476132578930
SHA512 6a023496e7ee03c2ff8e3ba445c7d7d5bfe6a1e1e1bae5c17dcf41e78ede84a166966579bf8cc7be7450d2516f869713907775e863670b10eb60c092492d2d04

C:\Users\Admin\AppData\Local\Temp\db.dat

MD5 2a03e19d5af7606e8e9a5c86a5a78880
SHA1 93945d1e473713d83316aaa9a297a417fb302db7
SHA256 15dea69e1ef7f927cdf56b7b6a31189b825b0cef06eeca4811006e7bf9d02c9a
SHA512 f263945af96cb0040d521832038862bfa05f4c9efd0eda0ae511dc1ab0ced179e0e64a3054de42bdc159db2520ff45f2b56ac08a7ac59bd01b74bbdf4b013f93

memory/6116-282-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\4923.exe

MD5 f99d573625e45fc9d02bd27d30aa5839
SHA1 e12a9683a34b4e3d06d4f6d07851fa606a2a4556
SHA256 14d138ed08a4f1c0850a93312cec9258bc5a0e8942b57a582e47c258b91cfac6
SHA512 84b39b79549cf9d8b9e23c6c68f39f4a2453cd9322edf29c07534e3ae30a4524df937564a9c51c08f249be691aa97dca3a03e6f3677d6a3256d5e89b9293924d

memory/6136-284-0x0000000000000000-mapping.dmp

memory/6136-285-0x0000000000400000-0x000000000058E000-memory.dmp

memory/1056-286-0x0000000000400000-0x0000000002F57000-memory.dmp

memory/6236-287-0x0000000000000000-mapping.dmp

memory/6292-288-0x0000000000000000-mapping.dmp

memory/6116-289-0x0000000004A74000-0x0000000004E5D000-memory.dmp

memory/6504-290-0x0000000000000000-mapping.dmp

memory/6556-291-0x0000000000000000-mapping.dmp

memory/6116-292-0x0000000000400000-0x0000000002F57000-memory.dmp

memory/6136-293-0x0000000000400000-0x000000000058E000-memory.dmp

memory/7264-294-0x0000000000000000-mapping.dmp

memory/6116-295-0x0000000000400000-0x0000000002F57000-memory.dmp

memory/7656-296-0x0000000000000000-mapping.dmp

memory/7264-297-0x0000000005000000-0x00000000053E9000-memory.dmp

memory/7656-298-0x0000000140000000-0x0000000140608000-memory.dmp

memory/7264-302-0x0000000000400000-0x0000000002F57000-memory.dmp

memory/7916-303-0x0000000000000000-mapping.dmp

memory/8016-304-0x0000000000000000-mapping.dmp

memory/8032-305-0x0000000000000000-mapping.dmp

memory/8116-306-0x0000000000000000-mapping.dmp

memory/8176-307-0x0000000000000000-mapping.dmp

memory/8188-308-0x0000000000000000-mapping.dmp

memory/8244-309-0x0000000000000000-mapping.dmp

memory/8244-310-0x0000000000400000-0x0000000000428000-memory.dmp

memory/8300-315-0x0000000000000000-mapping.dmp

memory/8312-316-0x0000000000000000-mapping.dmp

memory/8312-317-0x0000000000600000-0x0000000000620000-memory.dmp