Malware Analysis Report

2024-10-19 02:54

Sample ID 221201-zj6ghsab42
Target dd8d03f66f5ef8b372828580eaf08cccff8eb84949de65031728a8b20ad2823f
SHA256 dd8d03f66f5ef8b372828580eaf08cccff8eb84949de65031728a8b20ad2823f
Tags
amadey dcrat djvu smokeloader vidar 1148 517 backdoor collection discovery infostealer persistence ransomware rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

dd8d03f66f5ef8b372828580eaf08cccff8eb84949de65031728a8b20ad2823f

Threat Level: Known bad

The file dd8d03f66f5ef8b372828580eaf08cccff8eb84949de65031728a8b20ad2823f was found to be: Known bad.

Malicious Activity Summary

amadey dcrat djvu smokeloader vidar 1148 517 backdoor collection discovery infostealer persistence ransomware rat spyware stealer trojan

DcRat

Djvu Ransomware

Amadey

Detects Smokeloader packer

Detected Djvu ransomware

SmokeLoader

Vidar

Executes dropped EXE

Drops file in Drivers directory

Downloads MZ/PE file

Reads user/profile data of web browsers

Deletes itself

Loads dropped DLL

Modifies file permissions

Checks installed software on the system

Looks up external IP address via web service

Adds Run key to start application

Accesses Microsoft Outlook profiles

Accesses cryptocurrency files/wallets, possible credential harvesting

Accesses 2FA software files, possible credential harvesting

Drops Chrome extension

Legitimate hosting services abused for malware hosting/C2

Suspicious use of SetThreadContext

Program crash

Enumerates physical storage devices

Enumerates system info in registry

Creates scheduled task(s)

Delays execution with timeout.exe

Checks processor information in registry

Suspicious use of SendNotifyMessage

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Checks SCSI registry key(s)

Suspicious behavior: MapViewOfSection

outlook_office_path

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

outlook_win_path

Suspicious use of WriteProcessMemory

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-12-01 20:45

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-12-01 20:45

Reported

2022-12-01 20:48

Platform

win10-20220901-en

Max time kernel

122s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dd8d03f66f5ef8b372828580eaf08cccff8eb84949de65031728a8b20ad2823f.exe"

Signatures

Amadey

trojan amadey

DcRat

rat infostealer dcrat
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\dd8d03f66f5ef8b372828580eaf08cccff8eb84949de65031728a8b20ad2823f.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\f3ee7324-eea5-4e8f-92a0-5969697f5af3\\204.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\204.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects Smokeloader packer

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

SmokeLoader

trojan backdoor smokeloader

Vidar

stealer vidar

Downloads MZ/PE file

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\FF44.exe N/A
File created C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\FF44.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses 2FA software files, possible credential harvesting

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\f3ee7324-eea5-4e8f-92a0-5969697f5af3\\204.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\204.exe N/A

Checks installed software on the system

discovery

Drops Chrome extension

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\cdklkehakandkgnhnjnbpnnngiohpchj\0.0.0_0\manifest.json C:\Users\Admin\AppData\Local\Temp\FF44.exe N/A

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\237C.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\F45.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\237C.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\237C.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\F45.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\F45.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\dd8d03f66f5ef8b372828580eaf08cccff8eb84949de65031728a8b20ad2823f.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\dd8d03f66f5ef8b372828580eaf08cccff8eb84949de65031728a8b20ad2823f.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\dd8d03f66f5ef8b372828580eaf08cccff8eb84949de65031728a8b20ad2823f.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\ad07c404-6b95-404d-a828-e043f40e577c\build2.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\ad07c404-6b95-404d-a828-e043f40e577c\build2.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\dd8d03f66f5ef8b372828580eaf08cccff8eb84949de65031728a8b20ad2823f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dd8d03f66f5ef8b372828580eaf08cccff8eb84949de65031728a8b20ad2823f.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\dd8d03f66f5ef8b372828580eaf08cccff8eb84949de65031728a8b20ad2823f.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\F45.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\237C.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 8 wrote to memory of 5072 N/A N/A C:\Users\Admin\AppData\Local\Temp\FF44.exe
PID 8 wrote to memory of 5072 N/A N/A C:\Users\Admin\AppData\Local\Temp\FF44.exe
PID 8 wrote to memory of 5072 N/A N/A C:\Users\Admin\AppData\Local\Temp\FF44.exe
PID 8 wrote to memory of 4164 N/A N/A C:\Users\Admin\AppData\Local\Temp\204.exe
PID 8 wrote to memory of 4164 N/A N/A C:\Users\Admin\AppData\Local\Temp\204.exe
PID 8 wrote to memory of 4164 N/A N/A C:\Users\Admin\AppData\Local\Temp\204.exe
PID 8 wrote to memory of 3776 N/A N/A C:\Windows\system32\regsvr32.exe
PID 8 wrote to memory of 3776 N/A N/A C:\Windows\system32\regsvr32.exe
PID 3776 wrote to memory of 1640 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3776 wrote to memory of 1640 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3776 wrote to memory of 1640 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 8 wrote to memory of 1132 N/A N/A C:\Users\Admin\AppData\Local\Temp\F45.exe
PID 8 wrote to memory of 1132 N/A N/A C:\Users\Admin\AppData\Local\Temp\F45.exe
PID 8 wrote to memory of 1132 N/A N/A C:\Users\Admin\AppData\Local\Temp\F45.exe
PID 8 wrote to memory of 428 N/A N/A C:\Users\Admin\AppData\Local\Temp\1418.exe
PID 8 wrote to memory of 428 N/A N/A C:\Users\Admin\AppData\Local\Temp\1418.exe
PID 8 wrote to memory of 428 N/A N/A C:\Users\Admin\AppData\Local\Temp\1418.exe
PID 4164 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\204.exe C:\Users\Admin\AppData\Local\Temp\204.exe
PID 4164 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\204.exe C:\Users\Admin\AppData\Local\Temp\204.exe
PID 4164 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\204.exe C:\Users\Admin\AppData\Local\Temp\204.exe
PID 4164 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\204.exe C:\Users\Admin\AppData\Local\Temp\204.exe
PID 4164 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\204.exe C:\Users\Admin\AppData\Local\Temp\204.exe
PID 4164 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\204.exe C:\Users\Admin\AppData\Local\Temp\204.exe
PID 4164 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\204.exe C:\Users\Admin\AppData\Local\Temp\204.exe
PID 4164 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\204.exe C:\Users\Admin\AppData\Local\Temp\204.exe
PID 4164 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\204.exe C:\Users\Admin\AppData\Local\Temp\204.exe
PID 4164 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\204.exe C:\Users\Admin\AppData\Local\Temp\204.exe
PID 8 wrote to memory of 4176 N/A N/A C:\Users\Admin\AppData\Local\Temp\1BF9.exe
PID 8 wrote to memory of 4176 N/A N/A C:\Users\Admin\AppData\Local\Temp\1BF9.exe
PID 8 wrote to memory of 4176 N/A N/A C:\Users\Admin\AppData\Local\Temp\1BF9.exe
PID 8 wrote to memory of 2588 N/A N/A C:\Users\Admin\AppData\Local\Temp\237C.exe
PID 8 wrote to memory of 2588 N/A N/A C:\Users\Admin\AppData\Local\Temp\237C.exe
PID 8 wrote to memory of 2588 N/A N/A C:\Users\Admin\AppData\Local\Temp\237C.exe
PID 8 wrote to memory of 4644 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 8 wrote to memory of 4644 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 8 wrote to memory of 4644 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 8 wrote to memory of 4644 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 8 wrote to memory of 2608 N/A N/A C:\Windows\explorer.exe
PID 8 wrote to memory of 2608 N/A N/A C:\Windows\explorer.exe
PID 8 wrote to memory of 2608 N/A N/A C:\Windows\explorer.exe
PID 5072 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\FF44.exe C:\Users\Admin\AppData\Local\Temp\FF44.exe
PID 5072 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\FF44.exe C:\Users\Admin\AppData\Local\Temp\FF44.exe
PID 5072 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\FF44.exe C:\Users\Admin\AppData\Local\Temp\FF44.exe
PID 5072 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\FF44.exe C:\Users\Admin\AppData\Local\Temp\FF44.exe
PID 5072 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\FF44.exe C:\Users\Admin\AppData\Local\Temp\FF44.exe
PID 5072 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\FF44.exe C:\Users\Admin\AppData\Local\Temp\FF44.exe
PID 5072 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\FF44.exe C:\Users\Admin\AppData\Local\Temp\FF44.exe
PID 5072 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\FF44.exe C:\Users\Admin\AppData\Local\Temp\FF44.exe
PID 5072 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\FF44.exe C:\Users\Admin\AppData\Local\Temp\FF44.exe
PID 5072 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\FF44.exe C:\Users\Admin\AppData\Local\Temp\FF44.exe
PID 5072 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\FF44.exe C:\Users\Admin\AppData\Local\Temp\FF44.exe
PID 5072 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\FF44.exe C:\Users\Admin\AppData\Local\Temp\FF44.exe
PID 5072 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\FF44.exe C:\Users\Admin\AppData\Local\Temp\FF44.exe
PID 5072 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\FF44.exe C:\Users\Admin\AppData\Local\Temp\FF44.exe
PID 5072 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\FF44.exe C:\Users\Admin\AppData\Local\Temp\FF44.exe
PID 5072 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\FF44.exe C:\Users\Admin\AppData\Local\Temp\FF44.exe
PID 4744 wrote to memory of 3432 N/A C:\Users\Admin\AppData\Local\Temp\FF44.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4744 wrote to memory of 3432 N/A C:\Users\Admin\AppData\Local\Temp\FF44.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3432 wrote to memory of 3124 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3432 wrote to memory of 3124 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4076 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Local\Temp\204.exe C:\Windows\SysWOW64\icacls.exe
PID 4076 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Local\Temp\204.exe C:\Windows\SysWOW64\icacls.exe
PID 4076 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Local\Temp\204.exe C:\Windows\SysWOW64\icacls.exe
PID 3432 wrote to memory of 4560 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\dd8d03f66f5ef8b372828580eaf08cccff8eb84949de65031728a8b20ad2823f.exe

"C:\Users\Admin\AppData\Local\Temp\dd8d03f66f5ef8b372828580eaf08cccff8eb84949de65031728a8b20ad2823f.exe"

C:\Users\Admin\AppData\Local\Temp\FF44.exe

C:\Users\Admin\AppData\Local\Temp\FF44.exe

C:\Users\Admin\AppData\Local\Temp\204.exe

C:\Users\Admin\AppData\Local\Temp\204.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\784.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\784.dll

C:\Users\Admin\AppData\Local\Temp\F45.exe

C:\Users\Admin\AppData\Local\Temp\F45.exe

C:\Users\Admin\AppData\Local\Temp\1418.exe

C:\Users\Admin\AppData\Local\Temp\1418.exe

C:\Users\Admin\AppData\Local\Temp\204.exe

C:\Users\Admin\AppData\Local\Temp\204.exe

C:\Users\Admin\AppData\Local\Temp\1BF9.exe

C:\Users\Admin\AppData\Local\Temp\1BF9.exe

C:\Users\Admin\AppData\Local\Temp\237C.exe

C:\Users\Admin\AppData\Local\Temp\237C.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Users\Admin\AppData\Local\Temp\FF44.exe

C:\Users\Admin\AppData\Local\Temp\FF44.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 428 -s 272

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4176 -s 476

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" "https://search-hoj.com/reginst/prg/c2bcbb9f/102/0/"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xcc,0xd0,0xd4,0x5c,0xd8,0x7ffd19dc4f50,0x7ffd19dc4f60,0x7ffd19dc4f70

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\f3ee7324-eea5-4e8f-92a0-5969697f5af3" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1504,6861067666022796432,18219198750484488219,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1732 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1504,6861067666022796432,18219198750484488219,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1516 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1504,6861067666022796432,18219198750484488219,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2256 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1504,6861067666022796432,18219198750484488219,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2928 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1504,6861067666022796432,18219198750484488219,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2920 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\204.exe

"C:\Users\Admin\AppData\Local\Temp\204.exe" --Admin IsNotAutoStart IsNotTask

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1504,6861067666022796432,18219198750484488219,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4212 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\204.exe

"C:\Users\Admin\AppData\Local\Temp\204.exe" --Admin IsNotAutoStart IsNotTask

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1504,6861067666022796432,18219198750484488219,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4240 /prefetch:8

C:\Users\Admin\AppData\Local\ad07c404-6b95-404d-a828-e043f40e577c\build2.exe

"C:\Users\Admin\AppData\Local\ad07c404-6b95-404d-a828-e043f40e577c\build2.exe"

C:\Users\Admin\AppData\Local\ad07c404-6b95-404d-a828-e043f40e577c\build3.exe

"C:\Users\Admin\AppData\Local\ad07c404-6b95-404d-a828-e043f40e577c\build3.exe"

C:\Users\Admin\AppData\Local\ad07c404-6b95-404d-a828-e043f40e577c\build2.exe

"C:\Users\Admin\AppData\Local\ad07c404-6b95-404d-a828-e043f40e577c\build2.exe"

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1504,6861067666022796432,18219198750484488219,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4980 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1504,6861067666022796432,18219198750484488219,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4940 /prefetch:8

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\ad07c404-6b95-404d-a828-e043f40e577c\build2.exe" & exit

C:\Windows\SysWOW64\timeout.exe

timeout /t 6

C:\Users\Admin\AppData\Local\Temp\E805.exe

C:\Users\Admin\AppData\Local\Temp\E805.exe

C:\Users\Admin\AppData\Local\Temp\E7A.exe

C:\Users\Admin\AppData\Local\Temp\E7A.exe

C:\Users\Admin\AppData\Local\Temp\1736.exe

C:\Users\Admin\AppData\Local\Temp\1736.exe

C:\Users\Admin\AppData\Local\Temp\1736.exe

"C:\Users\Admin\AppData\Local\Temp\1736.exe"

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exe

"C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1504,6861067666022796432,18219198750484488219,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1496 /prefetch:8

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1504,6861067666022796432,18219198750484488219,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4996 /prefetch:8

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1504,6861067666022796432,18219198750484488219,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4916 /prefetch:8

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\1736.exe" & exit

C:\Windows\SysWOW64\timeout.exe

timeout /t 6

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 furubujjul.net udp
N/A 91.195.240.101:80 furubujjul.net tcp
N/A 8.8.8.8:53 starvestitibo.org udp
N/A 193.106.191.15:80 starvestitibo.org tcp
N/A 8.8.8.8:53 careers-info.com udp
N/A 167.235.4.117:443 careers-info.com tcp
N/A 79.137.206.108:80 79.137.206.108 tcp
N/A 8.8.8.8:53 api.2ip.ua udp
N/A 162.0.217.254:443 api.2ip.ua tcp
N/A 8.8.8.8:53 starvestitibo.org udp
N/A 193.106.191.15:80 starvestitibo.org tcp
N/A 8.8.8.8:53 search-hoj.com udp
N/A 8.8.8.8:53 accounts.google.com udp
N/A 31.220.1.81:443 search-hoj.com tcp
N/A 142.251.36.45:443 accounts.google.com tcp
N/A 31.220.1.81:443 search-hoj.com tcp
N/A 8.8.8.8:53 dns.google udp
N/A 8.8.4.4:443 dns.google tcp
N/A 8.8.4.4:443 dns.google tcp
N/A 8.8.4.4:443 dns.google udp
N/A 142.250.179.142:443 tcp
N/A 31.220.1.81:443 search-hoj.com tcp
N/A 142.250.179.142:443 google.com tcp
N/A 31.220.1.81:443 search-hoj.com tcp
N/A 31.220.1.81:443 search-hoj.com tcp
N/A 8.8.4.4:443 dns.google udp
N/A 127.0.0.1:443 tcp
N/A 216.58.208.99:443 ssl.gstatic.com tcp
N/A 216.58.208.110:443 apis.google.com tcp
N/A 8.8.8.8:53 api.2ip.ua udp
N/A 162.0.217.254:443 api.2ip.ua tcp
N/A 8.8.8.8:53 uaery.top udp
N/A 8.8.8.8:53 fresherlights.com udp
N/A 211.59.14.90:80 uaery.top tcp
N/A 201.124.230.1:80 fresherlights.com tcp
N/A 127.0.0.1:443 tcp
N/A 127.0.0.1:443 tcp
N/A 127.0.0.1:443 tcp
N/A 127.0.0.1:443 tcp
N/A 127.0.0.1:443 tcp
N/A 8.8.8.8:53 dowe.at udp
N/A 201.124.230.1:80 fresherlights.com tcp
N/A 190.140.74.43:80 dowe.at tcp
N/A 190.140.74.43:80 dowe.at tcp
N/A 190.140.74.43:80 dowe.at tcp
N/A 190.140.74.43:80 dowe.at tcp
N/A 190.140.74.43:80 dowe.at tcp
N/A 123.253.32.170:80 123.253.32.170 tcp
N/A 127.0.0.1:443 tcp
N/A 127.0.0.1:443 tcp
N/A 8.8.8.8:53 t.me udp
N/A 149.154.167.99:443 t.me tcp
N/A 116.203.0.170:80 116.203.0.170 tcp
N/A 224.0.0.251:5353 udp
N/A 190.140.74.43:80 dowe.at tcp
N/A 190.140.74.43:80 dowe.at tcp
N/A 190.140.74.43:80 dowe.at tcp
N/A 8.8.8.8:53 r3oidsofsios.com udp
N/A 185.246.221.151:80 r3oidsofsios.com tcp
N/A 190.140.74.43:80 dowe.at tcp
N/A 185.246.221.151:80 r3oidsofsios.com tcp
N/A 185.246.221.151:80 r3oidsofsios.com tcp
N/A 185.246.221.151:80 r3oidsofsios.com tcp
N/A 185.246.221.151:80 r3oidsofsios.com tcp
N/A 185.246.221.151:80 r3oidsofsios.com tcp
N/A 190.140.74.43:80 dowe.at tcp
N/A 185.246.221.151:80 r3oidsofsios.com tcp
N/A 185.246.221.151:80 r3oidsofsios.com tcp
N/A 185.246.221.151:80 r3oidsofsios.com tcp
N/A 127.0.0.1:443 tcp
N/A 185.246.221.151:80 r3oidsofsios.com tcp
N/A 190.140.74.43:80 dowe.at tcp
N/A 185.246.221.151:80 r3oidsofsios.com tcp
N/A 185.246.221.151:80 r3oidsofsios.com tcp
N/A 185.246.221.151:80 r3oidsofsios.com tcp
N/A 185.246.221.151:80 r3oidsofsios.com tcp
N/A 185.246.221.151:80 r3oidsofsios.com tcp
N/A 127.0.0.1:443 tcp
N/A 185.246.221.151:80 r3oidsofsios.com tcp
N/A 190.140.74.43:80 dowe.at tcp
N/A 185.246.221.151:80 r3oidsofsios.com tcp
N/A 185.246.221.151:80 r3oidsofsios.com tcp
N/A 185.246.221.151:80 r3oidsofsios.com tcp
N/A 185.246.221.151:80 r3oidsofsios.com tcp
N/A 185.246.221.151:80 r3oidsofsios.com tcp
N/A 190.140.74.43:80 dowe.at tcp
N/A 31.41.244.188:80 31.41.244.188 tcp
N/A 185.246.221.151:80 r3oidsofsios.com tcp
N/A 190.140.74.43:80 dowe.at tcp
N/A 185.246.221.151:80 r3oidsofsios.com tcp
N/A 8.8.8.8:53 github.com udp
N/A 140.82.114.3:443 github.com tcp
N/A 8.8.8.8:53 raw.githubusercontent.com udp
N/A 185.199.108.133:443 raw.githubusercontent.com tcp
N/A 190.140.74.43:80 dowe.at tcp
N/A 185.246.221.151:80 r3oidsofsios.com tcp
N/A 185.246.221.151:80 r3oidsofsios.com tcp
N/A 185.246.221.151:80 r3oidsofsios.com tcp
N/A 190.140.74.43:80 dowe.at tcp
N/A 185.246.221.151:80 r3oidsofsios.com tcp
N/A 185.246.221.151:80 r3oidsofsios.com tcp
N/A 185.246.221.151:80 r3oidsofsios.com tcp
N/A 190.140.74.43:80 dowe.at tcp
N/A 190.140.74.43:80 dowe.at tcp
N/A 190.140.74.43:80 dowe.at tcp
N/A 190.140.74.43:80 dowe.at tcp
N/A 190.140.74.43:80 dowe.at tcp
N/A 190.140.74.43:80 dowe.at tcp
N/A 190.140.74.43:80 dowe.at tcp
N/A 149.154.167.99:443 t.me tcp
N/A 8.8.4.4:443 dns.google udp
N/A 142.250.179.163:443 update.googleapis.com tcp
N/A 116.203.0.170:80 116.203.0.170 tcp
N/A 190.140.74.43:80 dowe.at tcp
N/A 185.246.221.151:80 r3oidsofsios.com tcp
N/A 190.140.74.43:80 dowe.at tcp
N/A 190.140.74.43:80 dowe.at tcp
N/A 190.140.74.43:80 dowe.at tcp
N/A 62.204.41.252:80 62.204.41.252 tcp
N/A 62.204.41.252:80 62.204.41.252 tcp
N/A 190.140.74.43:80 dowe.at tcp
N/A 190.140.74.43:80 dowe.at tcp
N/A 190.140.74.43:80 dowe.at tcp
N/A 190.140.74.43:80 dowe.at tcp
N/A 190.140.74.43:80 dowe.at tcp
N/A 190.140.74.43:80 dowe.at tcp
N/A 190.140.74.43:80 dowe.at tcp
N/A 8.8.4.4:443 dns.google tcp
N/A 8.8.4.4:443 dns.google udp

Files

memory/2412-120-0x00000000774F0000-0x000000007767E000-memory.dmp

memory/2412-121-0x00000000774F0000-0x000000007767E000-memory.dmp

memory/2412-122-0x00000000774F0000-0x000000007767E000-memory.dmp

memory/2412-123-0x00000000774F0000-0x000000007767E000-memory.dmp

memory/2412-124-0x00000000774F0000-0x000000007767E000-memory.dmp

memory/2412-125-0x00000000774F0000-0x000000007767E000-memory.dmp

memory/2412-126-0x00000000774F0000-0x000000007767E000-memory.dmp

memory/2412-127-0x00000000774F0000-0x000000007767E000-memory.dmp

memory/2412-128-0x00000000774F0000-0x000000007767E000-memory.dmp

memory/2412-129-0x00000000774F0000-0x000000007767E000-memory.dmp

memory/2412-130-0x00000000774F0000-0x000000007767E000-memory.dmp

memory/2412-131-0x00000000774F0000-0x000000007767E000-memory.dmp

memory/2412-132-0x00000000774F0000-0x000000007767E000-memory.dmp

memory/2412-133-0x00000000774F0000-0x000000007767E000-memory.dmp

memory/2412-134-0x00000000774F0000-0x000000007767E000-memory.dmp

memory/2412-136-0x00000000774F0000-0x000000007767E000-memory.dmp

memory/2412-137-0x00000000774F0000-0x000000007767E000-memory.dmp

memory/2412-138-0x00000000774F0000-0x000000007767E000-memory.dmp

memory/2412-139-0x00000000774F0000-0x000000007767E000-memory.dmp

memory/2412-140-0x00000000774F0000-0x000000007767E000-memory.dmp

memory/2412-141-0x00000000774F0000-0x000000007767E000-memory.dmp

memory/2412-142-0x00000000774F0000-0x000000007767E000-memory.dmp

memory/2412-143-0x00000000774F0000-0x000000007767E000-memory.dmp

memory/2412-144-0x00000000774F0000-0x000000007767E000-memory.dmp

memory/2412-145-0x0000000000470000-0x00000000005BA000-memory.dmp

memory/2412-146-0x00000000001D0000-0x00000000001D9000-memory.dmp

memory/2412-147-0x0000000000400000-0x0000000000466000-memory.dmp

memory/2412-148-0x00000000774F0000-0x000000007767E000-memory.dmp

memory/2412-149-0x00000000774F0000-0x000000007767E000-memory.dmp

memory/2412-150-0x00000000774F0000-0x000000007767E000-memory.dmp

memory/2412-151-0x00000000774F0000-0x000000007767E000-memory.dmp

memory/2412-152-0x00000000774F0000-0x000000007767E000-memory.dmp

memory/2412-153-0x00000000774F0000-0x000000007767E000-memory.dmp

memory/2412-154-0x00000000774F0000-0x000000007767E000-memory.dmp

memory/2412-156-0x00000000774F0000-0x000000007767E000-memory.dmp

memory/2412-155-0x00000000774F0000-0x000000007767E000-memory.dmp

memory/2412-157-0x0000000000400000-0x0000000000466000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FF44.exe

MD5 47ad5d71dcd38f85253d882d93c04906
SHA1 941ef208fb34ff9a3b25f7a325fcd0a44eacaaaf
SHA256 6ba14148ff3ce0ee93f4d2641677ac454aa0187821cba41c8eb03212a8c04fe2
SHA512 75291bdf369e90b76d7c15a45c3532f751e82a7acde205af1c019775e1138833cea32652fe940cc98e3a491f2c3677c45d58933c7e2ea55f089e99f2133dd0d0

memory/5072-158-0x0000000000000000-mapping.dmp

memory/5072-160-0x00000000774F0000-0x000000007767E000-memory.dmp

memory/5072-161-0x00000000774F0000-0x000000007767E000-memory.dmp

memory/5072-162-0x00000000774F0000-0x000000007767E000-memory.dmp

memory/5072-163-0x00000000774F0000-0x000000007767E000-memory.dmp

memory/5072-164-0x00000000774F0000-0x000000007767E000-memory.dmp

memory/5072-166-0x00000000774F0000-0x000000007767E000-memory.dmp

memory/5072-165-0x00000000774F0000-0x000000007767E000-memory.dmp

memory/5072-167-0x00000000774F0000-0x000000007767E000-memory.dmp

memory/5072-168-0x00000000774F0000-0x000000007767E000-memory.dmp

memory/5072-169-0x00000000774F0000-0x000000007767E000-memory.dmp

memory/5072-170-0x00000000774F0000-0x000000007767E000-memory.dmp

memory/5072-171-0x00000000774F0000-0x000000007767E000-memory.dmp

memory/5072-172-0x00000000774F0000-0x000000007767E000-memory.dmp

memory/4164-173-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\204.exe

MD5 dc91f3648d7b0240a0e5ca5da5160b8a
SHA1 7fa09bae115cf99b6a1f2440eef27bf3e6f5240a
SHA256 cd1581c5c97e41d6b4954983ca48c081466e9f34fe1fc7a71bf99a32b76335e6
SHA512 7f51ca1bec1a2deab5652fe77ed2a8764a22d610f503193ceb3307a2525eed68779015803f0fc6484019d29691233d322148da651595f7b28e85b40717319b35

memory/4164-176-0x00000000774F0000-0x000000007767E000-memory.dmp

memory/4164-177-0x00000000774F0000-0x000000007767E000-memory.dmp

memory/4164-178-0x00000000774F0000-0x000000007767E000-memory.dmp

memory/4164-179-0x00000000774F0000-0x000000007767E000-memory.dmp

memory/4164-180-0x00000000774F0000-0x000000007767E000-memory.dmp

memory/4164-181-0x00000000774F0000-0x000000007767E000-memory.dmp

memory/4164-182-0x00000000774F0000-0x000000007767E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\204.exe

MD5 dc91f3648d7b0240a0e5ca5da5160b8a
SHA1 7fa09bae115cf99b6a1f2440eef27bf3e6f5240a
SHA256 cd1581c5c97e41d6b4954983ca48c081466e9f34fe1fc7a71bf99a32b76335e6
SHA512 7f51ca1bec1a2deab5652fe77ed2a8764a22d610f503193ceb3307a2525eed68779015803f0fc6484019d29691233d322148da651595f7b28e85b40717319b35

memory/4164-184-0x00000000774F0000-0x000000007767E000-memory.dmp

memory/4164-185-0x00000000774F0000-0x000000007767E000-memory.dmp

memory/4164-187-0x00000000774F0000-0x000000007767E000-memory.dmp

memory/3776-189-0x0000000000000000-mapping.dmp

memory/4164-190-0x00000000774F0000-0x000000007767E000-memory.dmp

memory/4164-188-0x00000000774F0000-0x000000007767E000-memory.dmp

memory/4164-191-0x00000000774F0000-0x000000007767E000-memory.dmp

memory/1640-194-0x0000000000000000-mapping.dmp

memory/1640-195-0x00000000774F0000-0x000000007767E000-memory.dmp

memory/1640-196-0x00000000774F0000-0x000000007767E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\784.dll

MD5 b5a6673ea8122fd4e50b967f5a2be296
SHA1 f2af0dff034e37f65791db6abba901174bd05d96
SHA256 8d2f2df5c1fc4f8d47b080d7ba5527c92bf40764171f21090dd0ab73fc1c492f
SHA512 5608315605cce0050b4b44ec570bd71a4d01696a8e1859bb8b59ffe3aef0e039f343201a6875598799236f51a3f879a6355a10aed64ecd182f3569a29401d578

memory/1640-197-0x00000000774F0000-0x000000007767E000-memory.dmp

memory/4164-192-0x00000000774F0000-0x000000007767E000-memory.dmp

memory/4164-186-0x00000000774F0000-0x000000007767E000-memory.dmp

memory/1132-209-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\F45.exe

MD5 510415fbe19b40149650eba18ba69099
SHA1 56876ffb4b2aae49285741fdbf41db7448c645b3
SHA256 c44700faae07d06395583ca84f7fbe1f1083971008d0316ad7aa8f72ee03965e
SHA512 318c76f1c6b12f14c69df1033397208eb631701d8128de31c555f5d93e6471cc7e0c56a3ed8c9e0c19d7084b8e3c6f839ea35e8a8d01c34774f4fee193a477ce

C:\Users\Admin\AppData\Local\Temp\F45.exe

MD5 510415fbe19b40149650eba18ba69099
SHA1 56876ffb4b2aae49285741fdbf41db7448c645b3
SHA256 c44700faae07d06395583ca84f7fbe1f1083971008d0316ad7aa8f72ee03965e
SHA512 318c76f1c6b12f14c69df1033397208eb631701d8128de31c555f5d93e6471cc7e0c56a3ed8c9e0c19d7084b8e3c6f839ea35e8a8d01c34774f4fee193a477ce

memory/428-233-0x0000000000000000-mapping.dmp

memory/4164-247-0x0000000002200000-0x000000000231B000-memory.dmp

memory/4164-242-0x0000000002160000-0x00000000021FE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1418.exe

MD5 625dee38c26375c8e089f41a81655002
SHA1 2fc1b42b4cecb1862d2e2e0a3d26b164dbd53b7b
SHA256 8e4eee8b58720238567ce15c10eed499c39c802f7e237f836ecaccdc0b6ca7d1
SHA512 6d109a970a856f02f0935c5fca2380d82c641b70bb943fbcd2c0b28edb75a523ffccab0346005b78fdc7d5a36ec9876e6907ed8f6266e7ef0ba522b90539eb09

C:\Users\Admin\AppData\Local\Temp\1418.exe

MD5 625dee38c26375c8e089f41a81655002
SHA1 2fc1b42b4cecb1862d2e2e0a3d26b164dbd53b7b
SHA256 8e4eee8b58720238567ce15c10eed499c39c802f7e237f836ecaccdc0b6ca7d1
SHA512 6d109a970a856f02f0935c5fca2380d82c641b70bb943fbcd2c0b28edb75a523ffccab0346005b78fdc7d5a36ec9876e6907ed8f6266e7ef0ba522b90539eb09

memory/4176-286-0x0000000000000000-mapping.dmp

memory/4076-285-0x0000000000424141-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\204.exe

MD5 dc91f3648d7b0240a0e5ca5da5160b8a
SHA1 7fa09bae115cf99b6a1f2440eef27bf3e6f5240a
SHA256 cd1581c5c97e41d6b4954983ca48c081466e9f34fe1fc7a71bf99a32b76335e6
SHA512 7f51ca1bec1a2deab5652fe77ed2a8764a22d610f503193ceb3307a2525eed68779015803f0fc6484019d29691233d322148da651595f7b28e85b40717319b35

C:\Users\Admin\AppData\Local\Temp\1BF9.exe

MD5 ca6e023ab975494e626c825e45f6873c
SHA1 03081a7f1d82ac3c88bcfac56807ffcae6e344cb
SHA256 cf4c64e20ab121c8740766b6dd10cd18d2b5085dbe30f876bae2b66952f25065
SHA512 3025694c2db5510956f5d63e6f98f14bbfd58d01abcb8de77175dc847266caed6edda5a4fc1f1edbe91d21c92cbcaf5103abba55389f1247fcd6fb5dd3764560

\Users\Admin\AppData\Local\Temp\784.dll

MD5 b5a6673ea8122fd4e50b967f5a2be296
SHA1 f2af0dff034e37f65791db6abba901174bd05d96
SHA256 8d2f2df5c1fc4f8d47b080d7ba5527c92bf40764171f21090dd0ab73fc1c492f
SHA512 5608315605cce0050b4b44ec570bd71a4d01696a8e1859bb8b59ffe3aef0e039f343201a6875598799236f51a3f879a6355a10aed64ecd182f3569a29401d578

C:\Users\Admin\AppData\Local\Temp\1BF9.exe

MD5 ca6e023ab975494e626c825e45f6873c
SHA1 03081a7f1d82ac3c88bcfac56807ffcae6e344cb
SHA256 cf4c64e20ab121c8740766b6dd10cd18d2b5085dbe30f876bae2b66952f25065
SHA512 3025694c2db5510956f5d63e6f98f14bbfd58d01abcb8de77175dc847266caed6edda5a4fc1f1edbe91d21c92cbcaf5103abba55389f1247fcd6fb5dd3764560

memory/2588-317-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\237C.exe

MD5 6b2eb5128b32097a5da4894177b08627
SHA1 b17fe8600c6b7a2e2125b14d305562f9992d7570
SHA256 2d06bbb31414ce7bcf71f257836164e93b6b127bf12e434d26bff9b359d21949
SHA512 4a8b739ea147483b1bfdc21dd2eeb80643af0ab8e6e7b85a4bf89ebd15307403a3eeed618bef7a6d302e3f2fbe054cf80f53984e2f7fd70a836af33d84f2bc69

memory/1132-344-0x0000000000736000-0x0000000000747000-memory.dmp

memory/4644-339-0x0000000000000000-mapping.dmp

memory/1132-356-0x0000000000400000-0x0000000000466000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\237C.exe

MD5 6b2eb5128b32097a5da4894177b08627
SHA1 b17fe8600c6b7a2e2125b14d305562f9992d7570
SHA256 2d06bbb31414ce7bcf71f257836164e93b6b127bf12e434d26bff9b359d21949
SHA512 4a8b739ea147483b1bfdc21dd2eeb80643af0ab8e6e7b85a4bf89ebd15307403a3eeed618bef7a6d302e3f2fbe054cf80f53984e2f7fd70a836af33d84f2bc69

memory/5072-360-0x0000000004A30000-0x0000000004BF2000-memory.dmp

memory/1132-350-0x0000000000550000-0x0000000000559000-memory.dmp

memory/2608-370-0x0000000000000000-mapping.dmp

memory/5072-367-0x0000000004C00000-0x0000000004FCF000-memory.dmp

memory/2608-394-0x00000000003B0000-0x00000000003BC000-memory.dmp

memory/4744-414-0x000000000074B9E8-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\FF44.exe

MD5 47ad5d71dcd38f85253d882d93c04906
SHA1 941ef208fb34ff9a3b25f7a325fcd0a44eacaaaf
SHA256 6ba14148ff3ce0ee93f4d2641677ac454aa0187821cba41c8eb03212a8c04fe2
SHA512 75291bdf369e90b76d7c15a45c3532f751e82a7acde205af1c019775e1138833cea32652fe940cc98e3a491f2c3677c45d58933c7e2ea55f089e99f2133dd0d0

memory/428-428-0x00000000006A6000-0x00000000006B7000-memory.dmp

memory/428-433-0x0000000000470000-0x000000000051E000-memory.dmp

memory/428-438-0x0000000000400000-0x0000000000466000-memory.dmp

memory/4176-470-0x00000000004F0000-0x000000000059E000-memory.dmp

memory/4176-481-0x0000000000400000-0x0000000000466000-memory.dmp

memory/4176-476-0x00000000004C0000-0x00000000004C9000-memory.dmp

memory/4076-509-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1132-525-0x0000000000400000-0x0000000000466000-memory.dmp

memory/1132-521-0x0000000000736000-0x0000000000747000-memory.dmp

memory/2588-541-0x0000000000400000-0x0000000000466000-memory.dmp

memory/2588-537-0x0000000000580000-0x00000000006CA000-memory.dmp

memory/4744-569-0x0000000000400000-0x00000000007DC000-memory.dmp

memory/4644-581-0x0000000000D50000-0x0000000000DC5000-memory.dmp

memory/4644-604-0x0000000000CE0000-0x0000000000D4B000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Data

MD5 56b3efbcd6523f9687ea1dd6204458e0
SHA1 07cb84f9a4e886f0ea561a8517833491aae4d989
SHA256 0b45cde49aa2da8ca588e11cc9eab35585e35a96597e759e1d2c968e61644350
SHA512 41b3ca0ad2a4caa40a711c2b5459242e5027d63a4542be77469b46eed4f22ef25629ec0d850aecc89800527658ffd78fe22b96c8b647f30cd197e75f29ccf793

memory/4644-639-0x0000000000CE0000-0x0000000000D4B000-memory.dmp

memory/2588-641-0x0000000000400000-0x0000000000466000-memory.dmp

memory/4440-645-0x0000000000000000-mapping.dmp

memory/428-646-0x00000000006A6000-0x00000000006B7000-memory.dmp

memory/428-647-0x0000000000470000-0x000000000051E000-memory.dmp

memory/428-648-0x0000000000400000-0x0000000000466000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

MD5 d1bf5238042c77fde4eb452904c185eb
SHA1 95d9d06427a0f1611fc6a26722ebff5a3a5f72b6
SHA256 e49fb6bf5a42303af561059f8bb33cc3e9964aa335dc0c67ef4f556438eb2fae
SHA512 1c1e7145534d3ea28dd8740268cf2bbe895297760c73e718ce22597c526a348b94614ac65d4b8b2ccf2bc19d7c04977c2d02ab44d58d2a4694ad36135c906927

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 5fe9b333ef5fcd8dfed56408a7863ff4
SHA1 88b14ec87e25cd7ce0e28419a495399ebed59347
SHA256 c1ace4768bb8d9308a146125f9f326619e3957bfa536d926f42234bf737c5ac1
SHA512 bcaa04f39c01ded4739c5e670457e1b58fda58e16a8cac9c0675637f96d40c0dec3df353b9517bc31d632cb0236d75c3f0c4e551d46a420f8318c1564365457b

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\cdklkehakandkgnhnjnbpnnngiohpchj\0.0.0_0\js\ads.js

MD5 861911c84110225c3a7aedb619cdc8fd
SHA1 74e7694d3e1949d7fcdd3f6ad9fba26c7a139df9
SHA256 739e8d5face2f027960a1e7974160687905f920adf128a7c6c936ee0b35ae9a3
SHA512 425484b45d7941055aa7a7caea9b7fd072fece1a2fd0a34a44fd1e95b9f1c37d9a748f2746d56c12771ed68dc69814e9580607d64245391d1b92127e729384d2

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\cdklkehakandkgnhnjnbpnnngiohpchj\0.0.0_0\ico\128.png

MD5 1f2092ca6379fb8aaf583d4bc260955e
SHA1 1f5c95c87fc0e794fffa81f9db5e6663eefa2cd1
SHA256 bf8b8d46317c1fda356507735093f90dff5a578f564ed482b1166088ffcb8015
SHA512 5ee4e914801fd60a3f3840cb7836f4773c6a49cfc878b431a60d0eb7e7dc391d1efdb079fab134ed08148a94e83d1eeb483a698f6cb8d3136dadd645058b9cd7

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\cdklkehakandkgnhnjnbpnnngiohpchj\0.0.0_0\ico\64.png

MD5 d93ff667b54492bba9b9490cf588bf49
SHA1 9a9f6fc23ecbaacebbc3260c76bb57bab5949a63
SHA256 55a82197ac30ec87ecbaa140ed6f007c4d4a379834370a518b77971e0107c9a0
SHA512 923051a25d4c4567cee0af02feb4cf02bdecca3c6f344bc48994941632637c0ec47303734f5e3dc76160b2c9f2f4eae704ac48e2806ac998a4dc8707c7db59b6

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\cdklkehakandkgnhnjnbpnnngiohpchj\0.0.0_0\ico\48.png

MD5 059ee71acc8439f352e350aecd374ab9
SHA1 d5143bf7aad6847d46f0230f0edf6393db4c9a8c
SHA256 0047690e602eb4a017c27402ad27cfe3b2e897b6e7b298e4f022e69fa2024b50
SHA512 91928af347a547678d15b95836b7daeb6b2fbbd4855f067be9f6b8feadafff7803aa31159c8a1bf8f7cb95733bde883315a189dae54d898d517f521ea37d5ded

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\cdklkehakandkgnhnjnbpnnngiohpchj\0.0.0_0\ico\36.png

MD5 4e93455eb724d13f8cddbe4c5fd236c3
SHA1 3e8c930686c4024e0a3e6cd813d709ce67a7208d
SHA256 a3e4f86e7e85040a8e234652d834c089bdb2849937194b612ca1963c81fcc69f
SHA512 78a3c51f4db8aa273f6d0363c93c0b88d401752b18007b1a09303236b1d91e9758d8ea32a88b8ce76c6e820fe0ebca5ae1fc28c86dc98479f1ff8200c2dfeb83

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\cdklkehakandkgnhnjnbpnnngiohpchj\0.0.0_0\ico\32.png

MD5 a11da999ffc6d60d18430e21be60a921
SHA1 f98adfc8f6c526f2d3d9bd7b8726a7ea851ec1e5
SHA256 1e8162fa7f3109b450c66d3c7a4a8ba205f1516d23a5b610ab396ec0931b6dc6
SHA512 8aa2078ff8e68edd30ba46a4cae1a87df2a92e9623c848f0bcd816791f6243faa98164ec849c544130f22b8cb1fa1bd9e5bece8367fde1fd22fe8b1da09ce401

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\cdklkehakandkgnhnjnbpnnngiohpchj\0.0.0_0\ico\24.png

MD5 52b03cd5ab1715c9478925d24e470989
SHA1 675804f5552867b9015b6cdb2328a88b3596a00c
SHA256 afb7462a5952697a10eda8f653fb57287def531ba851678323dfa838a0291ccb
SHA512 00dc3c4ae1939f16e506bf414d369c755e5043edbaf9181e9c05f48d1cc55c5f05f67c9cab2ab82a2845fdeba977d47c263bdd23762ba3cfcea43d8bb1b3fdd3

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\cdklkehakandkgnhnjnbpnnngiohpchj\0.0.0_0\ico\16.png

MD5 c2e121bfc2b42d77c4632f0e43968ac2
SHA1 0f1d5bc95df1b6b333055871f25172ee66ceb21d
SHA256 7d0d655cccfc117307faf463404da2931c2f5deae5ce80e638e042beccfa7b1e
SHA512 baa00af5fe6de9a3de61f85f4e27dec9c5c9a12052fb1d110f2dc5c1a4e39d275547a6d0368a93f6c0c88945dca3777b550408942f7c498ba556170b1e7a243c

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\cdklkehakandkgnhnjnbpnnngiohpchj\0.0.0_0\manifest.json

MD5 23bb601e1a3c4a5a19830739f33b6f7b
SHA1 3558f1194cf2562f66245d7d5f562e7331da8afd
SHA256 04bbd2c615f81fd4f57663259f6373224033b23c623bc1265afcd8ceb548f1bb
SHA512 71cb66058b9cd2feb98b01d78554422fbbad148fc2e9450a6fcdf25af6a8bed4a3c0d71df6293e1da22af4f24e31bc95fa1f54836e2f7798c56bd03d144b1dba

C:\Windows\system32\drivers\etc\hosts

MD5 6b800a7ce8e526d4ef554af1d3c5df84
SHA1 a55b3ee214f87bd52fa8bbd9366c4b5b9f25b11f
SHA256 d3834400ae484a92575e325d9e64802d07a0f2a28ff76fb1aef48dbce32b931f
SHA512 cce2d77ad7e26b9b2fae11761d8d7836b160db176777f2904471f4f73e5e39036979ba9ff66aea6fd21338a3bba4a6b0ad63f025870d55e1486bb569d813d49a

\??\pipe\crashpad_3432_AVRNLPDUYTKVUVDH

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/4176-666-0x00000000004F0000-0x000000000059E000-memory.dmp

memory/4744-665-0x0000000000400000-0x00000000007DC000-memory.dmp

memory/4176-667-0x0000000000400000-0x0000000000466000-memory.dmp

memory/4076-678-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\f3ee7324-eea5-4e8f-92a0-5969697f5af3\204.exe

MD5 dc91f3648d7b0240a0e5ca5da5160b8a
SHA1 7fa09bae115cf99b6a1f2440eef27bf3e6f5240a
SHA256 cd1581c5c97e41d6b4954983ca48c081466e9f34fe1fc7a71bf99a32b76335e6
SHA512 7f51ca1bec1a2deab5652fe77ed2a8764a22d610f503193ceb3307a2525eed68779015803f0fc6484019d29691233d322148da651595f7b28e85b40717319b35

memory/4684-691-0x0000000000000000-mapping.dmp

memory/4076-692-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\204.exe

MD5 dc91f3648d7b0240a0e5ca5da5160b8a
SHA1 7fa09bae115cf99b6a1f2440eef27bf3e6f5240a
SHA256 cd1581c5c97e41d6b4954983ca48c081466e9f34fe1fc7a71bf99a32b76335e6
SHA512 7f51ca1bec1a2deab5652fe77ed2a8764a22d610f503193ceb3307a2525eed68779015803f0fc6484019d29691233d322148da651595f7b28e85b40717319b35

memory/4684-711-0x00000000021D0000-0x000000000226A000-memory.dmp

memory/4864-722-0x0000000000424141-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\204.exe

MD5 dc91f3648d7b0240a0e5ca5da5160b8a
SHA1 7fa09bae115cf99b6a1f2440eef27bf3e6f5240a
SHA256 cd1581c5c97e41d6b4954983ca48c081466e9f34fe1fc7a71bf99a32b76335e6
SHA512 7f51ca1bec1a2deab5652fe77ed2a8764a22d610f503193ceb3307a2525eed68779015803f0fc6484019d29691233d322148da651595f7b28e85b40717319b35

memory/4864-773-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5 61ffe15234088bd43d27e9eb101ad1f6
SHA1 80e8cf2dbbf66018e148cbab446cfc5e52eed1b2
SHA256 1dc492a98f81cf0473e5ebc17c9284892b88c592b5194c31761a1ef1985c59b5
SHA512 f925dbd2d421bc596f344241ce915b69e8f9a5112f4b9d6e62c82a717493ce2422366395dea33dfce896704b940afd6366923a7a2eb476d10563bc76de15b61d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5 a3338a5ed608e4a8fb577ef08bf00f68
SHA1 54383542f5b542b3ccf3498a6cd7f5e9550da344
SHA256 4f514684f30ec8e300b8ffa37dc6d13899729ede8ff17f3b65327db93a52c61f
SHA512 3efd0990b4e71e273c4e77d72df1df8aceee2e4dd51498bb21c5b1d30da884dc6908feedfc0424f176248a40e6da989c69dce638dd337c46273956a7f80d4065

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 912da6b52d140c350937afa14a357061
SHA1 5eb54c7f9f32a1e3442113fd93c348027e218004
SHA256 033b9d2ea11a924f8cd8af9d923c311efc401040802424ad0f7c8c811cb5f88d
SHA512 ace1abd89c31d0979a817b994fff933fec49b5f1204bc8d6ba43a41fd776500e719d3df95f1f90358d000b6de1705abe3cd8d120d13a9096ecea24afff4bdc2e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 57894cab41d4f2af769899740721920c
SHA1 e1f638fbb3a14903d64775bdcc412d5e7da07be7
SHA256 e41252dcf314b123fa9251730214cd5747b0f6207ceb89898aa23aab5348cfb6
SHA512 35c1a94ab54b74a8b6dd8a3e46ec1a6cbbf9858c8b2399d06a518b07c17e3f065b41676154808b0178ceecd020ef5ce1acd83b08c77a2d5d9d5a7af68c45d5de

memory/204-814-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\ad07c404-6b95-404d-a828-e043f40e577c\build2.exe

MD5 b9212ded69fae1fa1fb5d6db46a9fb76
SHA1 58face4245646b1cd379ee49f03a701eab1642be
SHA256 7a087c1bcd038c61ddb0f634f9b21e6db9bed59842f19adeda48b49acb20e16f
SHA512 09cab8ccedb9e53d6d2725e8b9dbbe8fa9552607a58d89876b6539a6612b2e7ac0440ef281971bec9191510915fa6264048510add493e6a862b0d3b4f006e342

C:\Users\Admin\AppData\Local\ad07c404-6b95-404d-a828-e043f40e577c\build2.exe

MD5 b9212ded69fae1fa1fb5d6db46a9fb76
SHA1 58face4245646b1cd379ee49f03a701eab1642be
SHA256 7a087c1bcd038c61ddb0f634f9b21e6db9bed59842f19adeda48b49acb20e16f
SHA512 09cab8ccedb9e53d6d2725e8b9dbbe8fa9552607a58d89876b6539a6612b2e7ac0440ef281971bec9191510915fa6264048510add493e6a862b0d3b4f006e342

memory/4948-839-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\ad07c404-6b95-404d-a828-e043f40e577c\build3.exe

MD5 9ead10c08e72ae41921191f8db39bc16
SHA1 abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA256 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512 aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

C:\Users\Admin\AppData\Local\ad07c404-6b95-404d-a828-e043f40e577c\build3.exe

MD5 9ead10c08e72ae41921191f8db39bc16
SHA1 abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA256 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512 aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

memory/204-879-0x000000000071A000-0x0000000000746000-memory.dmp

memory/204-881-0x00000000020A0000-0x00000000020EB000-memory.dmp

memory/2536-885-0x00000000004231AC-mapping.dmp

memory/4944-884-0x0000000000000000-mapping.dmp

memory/204-890-0x000000000071A000-0x0000000000746000-memory.dmp

C:\Users\Admin\AppData\Local\ad07c404-6b95-404d-a828-e043f40e577c\build2.exe

MD5 b9212ded69fae1fa1fb5d6db46a9fb76
SHA1 58face4245646b1cd379ee49f03a701eab1642be
SHA256 7a087c1bcd038c61ddb0f634f9b21e6db9bed59842f19adeda48b49acb20e16f
SHA512 09cab8ccedb9e53d6d2725e8b9dbbe8fa9552607a58d89876b6539a6612b2e7ac0440ef281971bec9191510915fa6264048510add493e6a862b0d3b4f006e342

memory/2536-911-0x0000000000400000-0x000000000045F000-memory.dmp

memory/4864-909-0x0000000000400000-0x0000000000537000-memory.dmp

\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 a2554e9ffce337a24189c4755a273a6f
SHA1 135fd5128ed7ee677188f503de25c8507688f512
SHA256 972bc98346a98fd4ef758fa99308356d1448c6eca4d0ec5418653963916cba72
SHA512 8db5ba752174e86402783113bdb635e23e1789aa913d915f4558163afec9ce19bd83c16d2d983e909adcb102aa0b4c76a10137a3851a8ad885a1a7af704d8561

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\History

MD5 1ce4a9844cc499a5e0a66e19f4ab9ff3
SHA1 6884ccfe0678bab97d1572f631b353a6908b1a0e
SHA256 c413ed6426633c4e9e317173398a07e219c0c9cb4e97ff8ba192dd96a4e3a4b5
SHA512 54585ba207400210c22d0b22ca6b267f08a6ac8aac4733acdf72c6a022da15c4e1f4bffb88f539bef3ec4125adeb9b3153085bf73eca4001a43da3925045f97d

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Data

MD5 e17f7f9f33aa50de34432ff8dfd3d9e7
SHA1 f9c7f7aef043bfdf842494beedf375784ddc4ae8
SHA256 06c8aae1c372bce37179bfaee1cd64a0c397a9d78aec254a4b46cef37dd4140e
SHA512 7ce0e48f5701955b65ac7f447da2cdbfca805e657d550a811f2d8f64e8f3480e71aec6288dbed7c84bf4aef30eddb0d403ffedefe54ff2e6b163c9f110eadee3

memory/4752-1019-0x0000000000000000-mapping.dmp

memory/2536-1021-0x0000000000400000-0x000000000045F000-memory.dmp

memory/4300-1026-0x0000000000000000-mapping.dmp

memory/3552-1046-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\E805.exe

MD5 1cdd58e5697337d574c1074e3022b6ef
SHA1 096916c31a85410776e0e0f91c9ba844f68b5ca4
SHA256 33ddf00433ffc36f224753c68880ed25bd110609d2a9630d67cd8e3f6e75e3ca
SHA512 16e55e844bc3fd40148aaa352f01a388ac6c6493df9ed3689cc2986ac1fa390a4b3012794981441dafe143e4b4e2caac836de9583f33ddc1815f1fbbffc8778f

C:\Users\Admin\AppData\Local\Temp\E805.exe

MD5 1cdd58e5697337d574c1074e3022b6ef
SHA1 096916c31a85410776e0e0f91c9ba844f68b5ca4
SHA256 33ddf00433ffc36f224753c68880ed25bd110609d2a9630d67cd8e3f6e75e3ca
SHA512 16e55e844bc3fd40148aaa352f01a388ac6c6493df9ed3689cc2986ac1fa390a4b3012794981441dafe143e4b4e2caac836de9583f33ddc1815f1fbbffc8778f

memory/3552-1081-0x0000000002620000-0x00000000029BA000-memory.dmp

memory/3552-1083-0x00000000029C0000-0x0000000002EB7000-memory.dmp

memory/3552-1096-0x0000000000400000-0x0000000000903000-memory.dmp

memory/3532-1104-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\E7A.exe

MD5 ef20768d8e781368b6670d5675be6a50
SHA1 23e7c3aacc30dec429357a28778e44be1273c80e
SHA256 ffa3a18c0ee028cfa575f28cbf71499fe55b0aa215825473e5b0a576362ceb37
SHA512 f83fccc87a53812caea9cfa053179281f0f5f01935e9a0e725d7feea427b89da64f17857b389189a921dc1f82190c8c8dbda0b6a35b4860792f636b726462721

C:\Users\Admin\AppData\Local\Temp\E7A.exe

MD5 ef20768d8e781368b6670d5675be6a50
SHA1 23e7c3aacc30dec429357a28778e44be1273c80e
SHA256 ffa3a18c0ee028cfa575f28cbf71499fe55b0aa215825473e5b0a576362ceb37
SHA512 f83fccc87a53812caea9cfa053179281f0f5f01935e9a0e725d7feea427b89da64f17857b389189a921dc1f82190c8c8dbda0b6a35b4860792f636b726462721

memory/4420-1122-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\1736.exe

MD5 e9a0d9f852b134aea305a6910dddd141
SHA1 34a23d8a7a8ee46b15f90ce7de1c4d689cb6c907
SHA256 c128a6e4bd58c45bf0499083c3e8f0c514d7d6575851cc7ef2620552a18541b9
SHA512 d3362ea27e695d72fd375872a0dffe9b339ceef2261830516d0411964088d030a405ca694f56d1090071047534758b7ec03cb496fecd972019ef29abf88eecf7

C:\Users\Admin\AppData\Local\Temp\1736.exe

MD5 e9a0d9f852b134aea305a6910dddd141
SHA1 34a23d8a7a8ee46b15f90ce7de1c4d689cb6c907
SHA256 c128a6e4bd58c45bf0499083c3e8f0c514d7d6575851cc7ef2620552a18541b9
SHA512 d3362ea27e695d72fd375872a0dffe9b339ceef2261830516d0411964088d030a405ca694f56d1090071047534758b7ec03cb496fecd972019ef29abf88eecf7

memory/4024-1142-0x00000000004231AC-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\1736.exe

MD5 e9a0d9f852b134aea305a6910dddd141
SHA1 34a23d8a7a8ee46b15f90ce7de1c4d689cb6c907
SHA256 c128a6e4bd58c45bf0499083c3e8f0c514d7d6575851cc7ef2620552a18541b9
SHA512 d3362ea27e695d72fd375872a0dffe9b339ceef2261830516d0411964088d030a405ca694f56d1090071047534758b7ec03cb496fecd972019ef29abf88eecf7

memory/3552-1153-0x0000000002620000-0x00000000029BA000-memory.dmp

memory/3552-1159-0x00000000029C0000-0x0000000002EB7000-memory.dmp

memory/3532-1163-0x0000000000480000-0x000000000052E000-memory.dmp

memory/3532-1167-0x00000000020A0000-0x00000000020DE000-memory.dmp

memory/1456-1181-0x0000000000000000-mapping.dmp

memory/3552-1191-0x0000000000400000-0x0000000000903000-memory.dmp

memory/4024-1195-0x0000000000400000-0x000000000045F000-memory.dmp

memory/3532-1198-0x0000000000400000-0x0000000000475000-memory.dmp

memory/4456-1204-0x0000000000000000-mapping.dmp

memory/4456-1226-0x00000000010B0000-0x00000000010BF000-memory.dmp

memory/1784-1229-0x0000000000000000-mapping.dmp

memory/4456-1223-0x00000000010C0000-0x00000000010C9000-memory.dmp

memory/3872-1249-0x0000000000000000-mapping.dmp

memory/2524-1258-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exe

MD5 ef20768d8e781368b6670d5675be6a50
SHA1 23e7c3aacc30dec429357a28778e44be1273c80e
SHA256 ffa3a18c0ee028cfa575f28cbf71499fe55b0aa215825473e5b0a576362ceb37
SHA512 f83fccc87a53812caea9cfa053179281f0f5f01935e9a0e725d7feea427b89da64f17857b389189a921dc1f82190c8c8dbda0b6a35b4860792f636b726462721

memory/3532-1263-0x00000000020A0000-0x00000000020DE000-memory.dmp

memory/3532-1268-0x0000000000400000-0x0000000000475000-memory.dmp

memory/2524-1280-0x00000000008E0000-0x00000000008E6000-memory.dmp

memory/2524-1284-0x00000000008D0000-0x00000000008DC000-memory.dmp

memory/1792-1290-0x0000000000000000-mapping.dmp

memory/1660-1320-0x0000000000000000-mapping.dmp

memory/768-1350-0x0000000000000000-mapping.dmp

memory/2264-1386-0x0000000000000000-mapping.dmp

memory/2264-1406-0x00000000001F0000-0x00000000001FD000-memory.dmp

memory/1456-1400-0x0000000000B60000-0x0000000000B67000-memory.dmp

memory/308-1423-0x0000000000000000-mapping.dmp

memory/2264-1447-0x0000000000400000-0x0000000000407000-memory.dmp

memory/1456-1456-0x0000000000B50000-0x0000000000B5B000-memory.dmp

memory/3308-1656-0x0000000000000000-mapping.dmp

memory/4880-1729-0x0000000000000000-mapping.dmp

memory/1396-1739-0x0000000000000000-mapping.dmp