Malware Analysis Report

2024-10-23 19:20

Sample ID 231023-sk54tabd38
Target deploy.exe
SHA256 1f41ecd3c862c4957dc7e09fede95bddcf43ebcab44fe946d72ff6abb75d030a
Tags
rat default asyncrat njrat stealerium stormkitty hacked collection persistence spyware stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1f41ecd3c862c4957dc7e09fede95bddcf43ebcab44fe946d72ff6abb75d030a

Threat Level: Known bad

The file deploy.exe was found to be: Known bad.

Malicious Activity Summary

rat default asyncrat njrat stealerium stormkitty hacked collection persistence spyware stealer trojan upx

Stealerium

Async RAT payload

AsyncRat

njRAT/Bladabindi

StormKitty payload

Asyncrat family

StormKitty

Async RAT payload

Drops startup file

Reads user/profile data of web browsers

Checks computer location settings

Executes dropped EXE

Reads data files stored by FTP clients

Uses the VBS compiler for execution

UPX packed file

Looks up geolocation information via web service

Drops desktop.ini file(s)

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Adds Run key to start application

Legitimate hosting services abused for malware hosting/C2

Suspicious use of SetThreadContext

Drops file in System32 directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

outlook_win_path

Uses Task Scheduler COM API

Checks processor information in registry

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious behavior: AddClipboardFormatListener

Modifies registry class

Suspicious use of SetWindowsHookEx

Runs ping.exe

outlook_office_path

Enumerates system info in registry

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Modifies Internet Explorer settings

Creates scheduled task(s)

Suspicious behavior: LoadsDriver

Checks SCSI registry key(s)

Modifies data under HKEY_USERS

Suspicious behavior: GetForegroundWindowSpam

Delays execution with timeout.exe

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-23 15:12

Signatures

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Asyncrat family

asyncrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-23 15:12

Reported

2023-10-23 15:42

Platform

win10v2004-20231020-en

Max time kernel

1800s

Max time network

1804s

Command Line

"C:\Users\Admin\AppData\Local\Temp\deploy.exe"

Signatures

AsyncRat

rat asyncrat

Stealerium

stealer stealerium

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A

njRAT/Bladabindi

trojan njrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\daemon.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ubiopn.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\deploy.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe C:\Windows\Dllhost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe C:\Windows\Dllhost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\daemon.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ubiopn.exe N/A
N/A N/A C:\Windows\Dllhost.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Uses the VBS compiler for execution

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\daemon.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\daemon.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\daemon.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Windows\\Dllhost.exe\" .." C:\Windows\Dllhost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Windows\\Dllhost.exe\" .." C:\Windows\Dllhost.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification \??\c:\users\admin\desktop\desktop.ini C:\Users\Admin\AppData\Roaming\daemon.exe N/A

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A
N/A icanhazip.com N/A N/A

Looks up geolocation information via web service

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\devmgmt.msc C:\Windows\system32\mmc.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3540 set thread context of 3920 N/A C:\Windows\Dllhost.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\INF\c_firmware.PNF C:\Windows\system32\mmc.exe N/A
File created C:\Windows\INF\c_fscompression.PNF C:\Windows\system32\mmc.exe N/A
File created C:\Windows\Dllhost.exe C:\Users\Admin\AppData\Local\Temp\ubiopn.exe N/A
File created C:\Windows\INF\c_fsactivitymonitor.PNF C:\Windows\system32\mmc.exe N/A
File created C:\Windows\INF\c_fsvirtualization.PNF C:\Windows\system32\mmc.exe N/A
File created C:\Windows\INF\c_media.PNF C:\Windows\system32\mmc.exe N/A
File created C:\Windows\INF\c_fssystem.PNF C:\Windows\system32\mmc.exe N/A
File created C:\Windows\INF\PerceptionSimulationSixDof.PNF C:\Windows\system32\mmc.exe N/A
File created C:\Windows\INF\c_barcodescanner.PNF C:\Windows\system32\mmc.exe N/A
File created C:\Windows\INF\remoteposdrv.PNF C:\Windows\system32\mmc.exe N/A
File created C:\Windows\INF\c_cashdrawer.PNF C:\Windows\system32\mmc.exe N/A
File created C:\Windows\INF\c_fsopenfilebackup.PNF C:\Windows\system32\mmc.exe N/A
File created C:\Windows\INF\xusb22.PNF C:\Windows\system32\mmc.exe N/A
File created C:\Windows\INF\c_fssystemrecovery.PNF C:\Windows\system32\mmc.exe N/A
File created C:\Windows\INF\oposdrv.PNF C:\Windows\system32\mmc.exe N/A
File created C:\Windows\INF\c_fscontinuousbackup.PNF C:\Windows\system32\mmc.exe N/A
File created C:\Windows\INF\c_fsencryption.PNF C:\Windows\system32\mmc.exe N/A
File created C:\Windows\INF\c_fsreplication.PNF C:\Windows\system32\mmc.exe N/A
File created C:\Windows\INF\c_linedisplay.PNF C:\Windows\system32\mmc.exe N/A
File created C:\Windows\INF\c_smrdisk.PNF C:\Windows\system32\mmc.exe N/A
File created C:\Windows\INF\c_fshsm.PNF C:\Windows\system32\mmc.exe N/A
File created C:\Windows\INF\c_mcx.PNF C:\Windows\system32\mmc.exe N/A
File created C:\Windows\INF\c_apo.PNF C:\Windows\system32\mmc.exe N/A
File created C:\Windows\INF\rdcameradriver.PNF C:\Windows\system32\mmc.exe N/A
File created C:\Windows\INF\c_extension.PNF C:\Windows\system32\mmc.exe N/A
File created C:\Windows\INF\c_fsphysicalquotamgmt.PNF C:\Windows\system32\mmc.exe N/A
File created C:\Windows\INF\wsdprint.PNF C:\Windows\system32\mmc.exe N/A
File created C:\Windows\INF\c_ucm.PNF C:\Windows\system32\mmc.exe N/A
File created C:\Windows\INF\c_fssecurityenhancer.PNF C:\Windows\system32\mmc.exe N/A
File created C:\Windows\INF\c_smrvolume.PNF C:\Windows\system32\mmc.exe N/A
File created C:\Windows\INF\c_proximity.PNF C:\Windows\system32\mmc.exe N/A
File created C:\Windows\INF\c_fsquotamgmt.PNF C:\Windows\system32\mmc.exe N/A
File created C:\Windows\INF\c_camera.PNF C:\Windows\system32\mmc.exe N/A
File created C:\Windows\INF\c_netdriver.PNF C:\Windows\system32\mmc.exe N/A
File created C:\Windows\INF\rawsilo.PNF C:\Windows\system32\mmc.exe N/A
File created C:\Windows\INF\c_fsantivirus.PNF C:\Windows\system32\mmc.exe N/A
File created C:\Windows\INF\miradisp.PNF C:\Windows\system32\mmc.exe N/A
File created C:\Windows\INF\c_fsinfrastructure.PNF C:\Windows\system32\mmc.exe N/A
File created C:\Windows\INF\c_computeaccelerator.PNF C:\Windows\system32\mmc.exe N/A
File created C:\Windows\INF\c_fsundelete.PNF C:\Windows\system32\mmc.exe N/A
File created C:\Windows\INF\c_sslaccel.PNF C:\Windows\system32\mmc.exe N/A
File created C:\Windows\INF\c_scmdisk.PNF C:\Windows\system32\mmc.exe N/A
File created C:\Windows\INF\c_volume.PNF C:\Windows\system32\mmc.exe N/A
File created C:\Windows\INF\ts_generic.PNF C:\Windows\system32\mmc.exe N/A
File created C:\Windows\INF\dc1-controller.PNF C:\Windows\system32\mmc.exe N/A
File created C:\Windows\INF\c_scmvolume.PNF C:\Windows\system32\mmc.exe N/A
File created C:\Windows\INF\c_receiptprinter.PNF C:\Windows\system32\mmc.exe N/A
File created C:\Windows\INF\digitalmediadevice.PNF C:\Windows\system32\mmc.exe N/A
File created C:\Windows\INF\c_processor.PNF C:\Windows\system32\mmc.exe N/A
File created C:\Windows\INF\c_swcomponent.PNF C:\Windows\system32\mmc.exe N/A
File created C:\Windows\INF\c_fscfsmetadataserver.PNF C:\Windows\system32\mmc.exe N/A
File created C:\Windows\INF\c_holographic.PNF C:\Windows\system32\mmc.exe N/A
File created C:\Windows\INF\c_magneticstripereader.PNF C:\Windows\system32\mmc.exe N/A
File created C:\Windows\INF\c_fscontentscreener.PNF C:\Windows\system32\mmc.exe N/A
File created C:\Windows\INF\c_display.PNF C:\Windows\system32\mmc.exe N/A
File created C:\Windows\INF\c_monitor.PNF C:\Windows\system32\mmc.exe N/A
File created C:\Windows\INF\c_fscopyprotection.PNF C:\Windows\system32\mmc.exe N/A
File created C:\Windows\INF\c_diskdrive.PNF C:\Windows\system32\mmc.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\mmc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\mmc.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\system32\mmc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 C:\Windows\system32\mmc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 C:\Windows\system32\mmc.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags C:\Windows\system32\mmc.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags C:\Windows\system32\mmc.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName C:\Windows\system32\mmc.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom C:\Windows\system32\mmc.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName C:\Windows\system32\mmc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\mmc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\mmc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A C:\Windows\system32\mmc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Windows\system32\mmc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A C:\Windows\system32\mmc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 C:\Windows\system32\mmc.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom C:\Windows\system32\mmc.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\system32\mmc.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\ C:\Windows\system32\mmc.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\ C:\Windows\system32\mmc.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Roaming\daemon.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Roaming\daemon.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\explorer.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "97001853" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31065541" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\Software\Microsoft\Internet Explorer\IESettingSync C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\Software\Microsoft\Internet Explorer\MINIE C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "97001853" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a0764507c505da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{315E97B4-71B8-11EE-97DE-CE881E08C42C} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000019be2f1b0c83324497d95522f5d0f46a00000000020000000000106600000001000020000000b6ec1a27f457303717dc3bdd43232f0e6197b5ac22f4cf865ca6d7c8cd5cc478000000000e8000000002000020000000c2242f9b42d5570037499f46b715e759181d4d85d2d5469a11fed90ab75fc2972000000028cbe25682a94218e55f8fd89789867cc41dd09ad83f63d07e1d3afb573e8ff040000000150d12523a22a829666981c2943297d5a212f0d37919942684a85698898f321908df41ea1a2046110ca2bc6a57608772f657b7c02c76db6ab68461a4992e9a24 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000019be2f1b0c83324497d95522f5d0f46a00000000020000000000106600000001000020000000b077dc0bfea080d5baac6db57d0ac293db798182f0033cfd63229b0f18a6dc21000000000e80000000020000200000009140d1568e3c88b3eb0583f73fc96747ce4eeee6078f2059e9edb1030d47e841200000001e0933d42e40f0dde959eb6e7ac3ec1223c630ddee9ce805c67446f4b96d89c640000000529ec0243ba368f0164ca4198b16091b88e961f02fcff057f2e43871c1f31a176d98f27f82d2dcee86b7651e61f0d33d22d0d00ef1e2909d3b4e569f417efb54 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c08f3907c505da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31065541" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Windows\explorer.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133425481971808231" C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "48" C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{65F125E5-7BE1-4810-BA9D-D271C8432CE3}" C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "18874369" C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{65F125E5-7BE1-4810-BA9D-D271C8432CE3}" C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel\HotKey = "0" C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel\WFlags = "0" C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0 = 1e00718000000000000000000000e4c006bb93d2754f8a90cb05b6477eee0000 C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2 C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = 00000000ffffffff C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\NodeSlot = "2" C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 = 0c0001008421de39050000000000 C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 010000000200000000000000ffffffff C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "6" C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0" C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0 C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel\ShowCmd = "1" C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\MRUListEx = ffffffff C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0 C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000_Classes\Local Settings C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "2" C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "48" C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000_Classes\Local Settings C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel\ShowCmd = "1" C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "2" C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000010000001800000030f125b7ef471a10a5f102608c9eebac0a000000a0000000 C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel\WFlags = "0" C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "18874369" C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "18874385" C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel\HotKey = "0" C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 00000000ffffffff C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202 C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000010000001800000030f125b7ef471a10a5f102608c9eebac0a000000a0000000 C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "6" C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 = 14001f706806ee260aa0d7449371beb064c986830000 C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "18874385" C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202 C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel C:\Windows\explorer.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\daemon.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\deploy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\deploy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\deploy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\deploy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\deploy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\deploy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\deploy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\deploy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\deploy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\deploy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\deploy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\deploy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\deploy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\deploy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\deploy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\deploy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\deploy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\deploy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\deploy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\deploy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\deploy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\deploy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\deploy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\deploy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\deploy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\deploy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\deploy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\deploy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\deploy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\deploy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\deploy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\deploy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\deploy.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\daemon.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\daemon.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\daemon.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\daemon.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\daemon.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\daemon.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\daemon.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\daemon.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\daemon.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\daemon.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\daemon.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\daemon.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\daemon.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\daemon.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\daemon.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\daemon.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\daemon.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\daemon.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\daemon.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\daemon.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\daemon.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\daemon.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\daemon.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\daemon.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\daemon.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\daemon.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\daemon.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\daemon.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\daemon.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\daemon.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\daemon.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\daemon.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\deploy.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\daemon.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Dllhost.exe N/A
Token: 33 N/A C:\Windows\Dllhost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Dllhost.exe N/A
Token: 33 N/A C:\Windows\Dllhost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Dllhost.exe N/A
Token: 33 N/A C:\Windows\Dllhost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Dllhost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: 33 N/A C:\Windows\Dllhost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Dllhost.exe N/A
Token: 33 N/A C:\Windows\Dllhost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Dllhost.exe N/A
Token: 33 N/A C:\Windows\system32\mmc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\mmc.exe N/A
Token: 33 N/A C:\Windows\system32\mmc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\mmc.exe N/A
Token: 33 N/A C:\Windows\Dllhost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Dllhost.exe N/A
Token: 33 N/A C:\Windows\Dllhost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Dllhost.exe N/A
Token: 33 N/A C:\Windows\Dllhost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Dllhost.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: 33 N/A C:\Windows\Dllhost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Dllhost.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5028 wrote to memory of 404 N/A C:\Users\Admin\AppData\Local\Temp\deploy.exe C:\Windows\System32\cmd.exe
PID 5028 wrote to memory of 404 N/A C:\Users\Admin\AppData\Local\Temp\deploy.exe C:\Windows\System32\cmd.exe
PID 5028 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\deploy.exe C:\Windows\system32\cmd.exe
PID 5028 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\deploy.exe C:\Windows\system32\cmd.exe
PID 404 wrote to memory of 3908 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 404 wrote to memory of 3908 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 4828 wrote to memory of 412 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 4828 wrote to memory of 412 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 4828 wrote to memory of 3596 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\daemon.exe
PID 4828 wrote to memory of 3596 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\daemon.exe
PID 3596 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Roaming\daemon.exe C:\Windows\SYSTEM32\cmd.exe
PID 3596 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Roaming\daemon.exe C:\Windows\SYSTEM32\cmd.exe
PID 2920 wrote to memory of 1580 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\PING.EXE
PID 2920 wrote to memory of 1580 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\PING.EXE
PID 3596 wrote to memory of 4608 N/A C:\Users\Admin\AppData\Roaming\daemon.exe C:\Windows\System32\cmd.exe
PID 3596 wrote to memory of 4608 N/A C:\Users\Admin\AppData\Roaming\daemon.exe C:\Windows\System32\cmd.exe
PID 4608 wrote to memory of 332 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4608 wrote to memory of 332 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 332 wrote to memory of 2000 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\ubiopn.exe
PID 332 wrote to memory of 2000 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\ubiopn.exe
PID 332 wrote to memory of 2000 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\ubiopn.exe
PID 2000 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\ubiopn.exe C:\Windows\Dllhost.exe
PID 2000 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\ubiopn.exe C:\Windows\Dllhost.exe
PID 2000 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\ubiopn.exe C:\Windows\Dllhost.exe
PID 3156 wrote to memory of 2332 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3156 wrote to memory of 2332 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3156 wrote to memory of 2992 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3156 wrote to memory of 2992 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3156 wrote to memory of 2992 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3156 wrote to memory of 2992 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3156 wrote to memory of 2992 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3156 wrote to memory of 2992 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3156 wrote to memory of 2992 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3156 wrote to memory of 2992 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3156 wrote to memory of 2992 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3156 wrote to memory of 2992 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3156 wrote to memory of 2992 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3156 wrote to memory of 2992 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3156 wrote to memory of 2992 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3156 wrote to memory of 2992 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3156 wrote to memory of 2992 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3156 wrote to memory of 2992 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3156 wrote to memory of 2992 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3156 wrote to memory of 2992 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3156 wrote to memory of 2992 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3156 wrote to memory of 2992 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3156 wrote to memory of 2992 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3156 wrote to memory of 2992 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3156 wrote to memory of 2992 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3156 wrote to memory of 2992 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3156 wrote to memory of 2992 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3156 wrote to memory of 2992 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3156 wrote to memory of 2992 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3156 wrote to memory of 2992 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3156 wrote to memory of 2992 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3156 wrote to memory of 2992 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3156 wrote to memory of 2992 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3156 wrote to memory of 2992 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3156 wrote to memory of 2992 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3156 wrote to memory of 2992 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3156 wrote to memory of 2992 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3156 wrote to memory of 2992 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3156 wrote to memory of 2992 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3156 wrote to memory of 2992 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe

Uses Task Scheduler COM API

persistence

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\daemon.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\daemon.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\deploy.exe

"C:\Users\Admin\AppData\Local\Temp\deploy.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "daemon" /tr '"C:\Users\Admin\AppData\Roaming\daemon.exe"' & exit

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp366.tmp.bat""

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "daemon" /tr '"C:\Users\Admin\AppData\Roaming\daemon.exe"'

C:\Windows\system32\timeout.exe

timeout 3

C:\Users\Admin\AppData\Roaming\daemon.exe

"C:\Users\Admin\AppData\Roaming\daemon.exe"

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /4

C:\Windows\SYSTEM32\cmd.exe

"cmd"

C:\Windows\system32\PING.EXE

ping cloudflare.com

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\ubiopn.exe"' & exit

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\ubiopn.exe"'

C:\Users\Admin\AppData\Local\Temp\ubiopn.exe

"C:\Users\Admin\AppData\Local\Temp\ubiopn.exe"

C:\Windows\Dllhost.exe

"C:\Windows\Dllhost.exe"

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}

C:\Windows\explorer.exe

C:\Windows\explorer.exe /factory,{5BD95610-9434-43C2-886C-57852CC8A120} -Embedding

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}

C:\Windows\system32\mmc.exe

"C:\Windows\system32\mmc.exe" C:\Windows\system32\devmgmt.msc

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ffdbc859758,0x7ffdbc859768,0x7ffdbc859778

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 --field-trial-handle=1916,i,3256368676407802205,8344109765142389448,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1668 --field-trial-handle=1916,i,3256368676407802205,8344109765142389448,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2212 --field-trial-handle=1916,i,3256368676407802205,8344109765142389448,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3120 --field-trial-handle=1916,i,3256368676407802205,8344109765142389448,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3124 --field-trial-handle=1916,i,3256368676407802205,8344109765142389448,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4652 --field-trial-handle=1916,i,3256368676407802205,8344109765142389448,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4776 --field-trial-handle=1916,i,3256368676407802205,8344109765142389448,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4900 --field-trial-handle=1916,i,3256368676407802205,8344109765142389448,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4956 --field-trial-handle=1916,i,3256368676407802205,8344109765142389448,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=3396 --field-trial-handle=1916,i,3256368676407802205,8344109765142389448,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4872 --field-trial-handle=1916,i,3256368676407802205,8344109765142389448,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=5000 --field-trial-handle=1916,i,3256368676407802205,8344109765142389448,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=5640 --field-trial-handle=1916,i,3256368676407802205,8344109765142389448,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=4784 --field-trial-handle=1916,i,3256368676407802205,8344109765142389448,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=5984 --field-trial-handle=1916,i,3256368676407802205,8344109765142389448,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=5916 --field-trial-handle=1916,i,3256368676407802205,8344109765142389448,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=6476 --field-trial-handle=1916,i,3256368676407802205,8344109765142389448,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=6356 --field-trial-handle=1916,i,3256368676407802205,8344109765142389448,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=6236 --field-trial-handle=1916,i,3256368676407802205,8344109765142389448,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=7056 --field-trial-handle=1916,i,3256368676407802205,8344109765142389448,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7244 --field-trial-handle=1916,i,3256368676407802205,8344109765142389448,131072 /prefetch:8

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\SetWatch.gif

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5804 CREDAT:17410 /prefetch:2

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x490 0x150

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" -f "C:\Users\Admin\AppData\Local\Temp\3552883"

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\netsh.exe

netsh wlan show profile

C:\Windows\system32\findstr.exe

findstr All

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\netsh.exe

netsh wlan show networks mode=bssid

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}

C:\Windows\explorer.exe

C:\Windows\explorer.exe /factory,{5BD95610-9434-43C2-886C-57852CC8A120} -Embedding

C:\Windows\SYSTEM32\cmd.exe

"cmd"

C:\Windows\System32\Wbem\WMIC.exe

wmic cpu get caption

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /4

C:\Windows\SYSTEM32\cmd.exe

"cmd"

Network

Country Destination Domain Proto
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 pastebin.com udp
US 172.67.34.170:443 pastebin.com tcp
GB 146.19.230.52:3232 tcp
US 8.8.8.8:53 170.34.67.172.in-addr.arpa udp
GB 146.19.230.52:3232 tcp
GB 146.19.230.52:3232 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 254.178.238.8.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
GB 146.19.230.52:3232 tcp
US 8.8.8.8:53 52.230.19.146.in-addr.arpa udp
GB 146.19.230.52:3232 tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 126.179.238.8.in-addr.arpa udp
GB 146.19.230.52:3232 tcp
GB 146.19.230.52:3232 tcp
US 8.8.8.8:53 85.65.42.20.in-addr.arpa udp
GB 146.19.230.52:3232 tcp
GB 146.19.230.52:3232 tcp
US 8.8.8.8:53 cloudflare.com udp
GB 146.19.230.52:3232 tcp
GB 146.19.230.52:3232 tcp
GB 146.19.230.52:3232 tcp
GB 146.19.230.52:3232 tcp
GB 146.19.230.52:3232 tcp
GB 146.19.230.52:3232 tcp
GB 146.19.230.52:4456 tcp
GB 146.19.230.52:4456 tcp
US 8.8.8.8:53 195.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 196.168.217.172.in-addr.arpa udp
US 8.8.8.8:53 speedtest.net udp
US 151.101.66.219:443 speedtest.net tcp
US 151.101.66.219:443 speedtest.net tcp
US 8.8.8.8:53 219.66.101.151.in-addr.arpa udp
US 8.8.8.8:53 226.20.18.104.in-addr.arpa udp
US 8.8.8.8:53 www.speedtest.net udp
US 104.18.203.232:443 www.speedtest.net tcp
US 8.8.8.8:53 cdn.ziffstatic.com udp
US 8.8.8.8:53 b.cdnst.net udp
NL 95.101.74.135:443 cdn.ziffstatic.com tcp
US 8.8.8.8:53 c.amazon-adsystem.com udp
US 18.239.83.131:443 c.amazon-adsystem.com tcp
US 8.8.8.8:53 www.googletagservices.com udp
NL 142.251.36.2:443 www.googletagservices.com tcp
US 8.8.8.8:53 232.203.18.104.in-addr.arpa udp
US 8.8.8.8:53 135.74.101.95.in-addr.arpa udp
US 8.8.8.8:53 131.83.239.18.in-addr.arpa udp
US 8.8.8.8:53 8.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 2.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 cdn.static.zdbb.net udp
FR 2.21.35.232:443 cdn.static.zdbb.net tcp
US 8.8.8.8:53 securepubads.g.doubleclick.net udp
US 8.8.8.8:53 cdn.cookielaw.org udp
US 142.250.145.155:443 securepubads.g.doubleclick.net tcp
US 8.8.8.8:53 ads.pubmatic.com udp
FR 104.80.22.145:443 ads.pubmatic.com tcp
US 104.18.130.236:443 cdn.cookielaw.org tcp
US 8.8.8.8:53 147.47.239.18.in-addr.arpa udp
US 8.8.8.8:53 232.35.21.2.in-addr.arpa udp
US 8.8.8.8:53 155.145.250.142.in-addr.arpa udp
US 8.8.8.8:53 145.22.80.104.in-addr.arpa udp
US 8.8.8.8:53 236.130.18.104.in-addr.arpa udp
US 8.8.8.8:53 geolocation.onetrust.com udp
US 104.18.32.137:443 geolocation.onetrust.com tcp
US 142.250.145.155:443 securepubads.g.doubleclick.net udp
US 8.8.8.8:53 trc.taboola.com udp
US 151.101.1.44:443 trc.taboola.com tcp
US 18.239.83.131:443 c.amazon-adsystem.com tcp
US 8.8.8.8:53 zdbb.net udp
US 8.8.8.8:53 gurgle.speedtest.net udp
US 8.8.8.8:53 content-autofill.googleapis.com udp
NL 142.251.39.106:443 content-autofill.googleapis.com tcp
US 54.210.200.29:443 gurgle.speedtest.net tcp
IE 52.17.129.77:443 zdbb.net tcp
US 8.8.8.8:53 137.32.18.104.in-addr.arpa udp
US 8.8.8.8:53 44.1.101.151.in-addr.arpa udp
US 8.8.8.8:53 bidder.criteo.com udp
NL 178.250.1.8:443 bidder.criteo.com tcp
US 8.8.8.8:53 c2shb.pubgw.yahoo.com udp
DE 18.156.195.47:443 c2shb.pubgw.yahoo.com tcp
DE 18.156.195.47:443 c2shb.pubgw.yahoo.com tcp
DE 18.156.195.47:443 c2shb.pubgw.yahoo.com tcp
DE 18.156.195.47:443 c2shb.pubgw.yahoo.com tcp
DE 18.156.195.47:443 c2shb.pubgw.yahoo.com tcp
US 8.8.8.8:53 btlr.sharethrough.com udp
US 8.8.8.8:53 ib.adnxs-simple.com udp
DE 37.252.171.149:443 ib.adnxs-simple.com tcp
US 8.8.8.8:53 rtb.openx.net udp
US 35.186.253.211:443 rtb.openx.net tcp
US 8.8.8.8:53 htlb.casalemedia.com udp
US 104.18.27.193:443 htlb.casalemedia.com tcp
DE 18.197.245.211:443 btlr.sharethrough.com tcp
DE 18.197.245.211:443 btlr.sharethrough.com tcp
DE 18.197.245.211:443 btlr.sharethrough.com tcp
DE 18.197.245.211:443 btlr.sharethrough.com tcp
DE 18.197.245.211:443 btlr.sharethrough.com tcp
US 8.8.8.8:53 fastlane.rubiconproject.com udp
NL 213.19.162.41:443 fastlane.rubiconproject.com tcp
NL 213.19.162.41:443 fastlane.rubiconproject.com tcp
NL 213.19.162.41:443 fastlane.rubiconproject.com tcp
NL 213.19.162.41:443 fastlane.rubiconproject.com tcp
NL 213.19.162.41:443 fastlane.rubiconproject.com tcp
US 8.8.8.8:53 hbopenbid.pubmatic.com udp
NL 185.64.189.112:443 hbopenbid.pubmatic.com tcp
US 8.8.8.8:53 gurgle.zdbb.net udp
US 54.210.200.29:443 gurgle.zdbb.net tcp
US 104.18.130.236:443 cdn.cookielaw.org tcp
US 8.8.8.8:53 nl.blackhost.network.prod.hosts.ooklaserver.net udp
US 8.8.8.8:53 speedtest.spl.vodafone.nl.prod.hosts.ooklaserver.net udp
US 8.8.8.8:53 speedtest.novoserve.com.prod.hosts.ooklaserver.net udp
US 8.8.8.8:53 speedtesta.kpn.com udp
NL 62.140.138.205:8080 speedtest.spl.vodafone.nl.prod.hosts.ooklaserver.net tcp
US 8.8.8.8:53 speedtest.ams.t-mobile.nl.prod.hosts.ooklaserver.net udp
NL 185.142.236.136:8080 nl.blackhost.network.prod.hosts.ooklaserver.net tcp
US 8.8.8.8:53 ams-eq6-tptest1.31173.se udp
NL 185.80.233.178:8080 speedtest.novoserve.com.prod.hosts.ooklaserver.net tcp
NL 185.65.134.2:8080 ams-eq6-tptest1.31173.se tcp
NL 195.121.118.196:8080 speedtesta.kpn.com tcp
NL 37.143.86.95:8080 speedtest.ams.t-mobile.nl.prod.hosts.ooklaserver.net tcp
US 8.8.8.8:53 106.39.251.142.in-addr.arpa udp
US 8.8.8.8:53 206.23.217.172.in-addr.arpa udp
US 8.8.8.8:53 77.129.17.52.in-addr.arpa udp
US 8.8.8.8:53 29.200.210.54.in-addr.arpa udp
US 8.8.8.8:53 8.1.250.178.in-addr.arpa udp
US 8.8.8.8:53 47.195.156.18.in-addr.arpa udp
US 8.8.8.8:53 211.253.186.35.in-addr.arpa udp
US 8.8.8.8:53 149.171.252.37.in-addr.arpa udp
US 8.8.8.8:53 193.27.18.104.in-addr.arpa udp
US 8.8.8.8:53 211.245.197.18.in-addr.arpa udp
US 8.8.8.8:53 41.162.19.213.in-addr.arpa udp
US 8.8.8.8:53 112.189.64.185.in-addr.arpa udp
US 8.8.8.8:53 205.138.140.62.in-addr.arpa udp
US 8.8.8.8:53 apps.identrust.com udp
NL 88.221.25.169:80 apps.identrust.com tcp
US 8.8.8.8:53 nl.speedtest.labixe.net.prod.hosts.ooklaserver.net udp
NL 2.56.165.3:8080 nl.speedtest.labixe.net.prod.hosts.ooklaserver.net tcp
US 8.8.8.8:53 ams.speedtest.clouvider.net.prod.hosts.ooklaserver.net udp
US 8.8.8.8:53 speedtest.eu.kamatera.com.prod.hosts.ooklaserver.net udp
NL 185.167.97.105:8080 speedtest.eu.kamatera.com.prod.hosts.ooklaserver.net tcp
US 8.8.8.8:53 iperf.gakijken.nl.prod.hosts.ooklaserver.net udp
NL 89.250.176.242:8080 iperf.gakijken.nl.prod.hosts.ooklaserver.net tcp
NL 194.127.172.176:8080 ams.speedtest.clouvider.net.prod.hosts.ooklaserver.net tcp
US 8.8.8.8:53 cm.g.doubleclick.net udp
US 8.8.8.8:53 aa.agkn.com udp
DE 35.156.105.211:443 aa.agkn.com tcp
US 8.8.8.8:53 136.236.142.185.in-addr.arpa udp
US 8.8.8.8:53 178.233.80.185.in-addr.arpa udp
US 8.8.8.8:53 2.134.65.185.in-addr.arpa udp
US 8.8.8.8:53 196.118.121.195.in-addr.arpa udp
US 8.8.8.8:53 95.86.143.37.in-addr.arpa udp
US 8.8.8.8:53 169.25.221.88.in-addr.arpa udp
US 8.8.8.8:53 3.165.56.2.in-addr.arpa udp
US 8.8.8.8:53 105.97.167.185.in-addr.arpa udp
US 8.8.8.8:53 176.172.127.194.in-addr.arpa udp
US 8.8.8.8:53 162.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 242.176.250.89.in-addr.arpa udp
US 8.8.8.8:53 211.105.156.35.in-addr.arpa udp
US 8.8.8.8:53 stags.bluekai.com udp
NL 104.99.233.6:443 stags.bluekai.com tcp
US 8.8.8.8:53 jogger.zdbb.net udp
US 8.8.8.8:53 tags.bkrtx.com udp
US 8.8.8.8:53 idsync.rlcdn.com udp
US 8.8.8.8:53 beacon.krxd.net udp
IE 52.31.202.102:443 beacon.krxd.net tcp
US 23.20.249.78:443 jogger.zdbb.net tcp
US 151.101.2.219:443 b.cdnst.net tcp
US 8.8.8.8:53 static.criteo.net udp
HK 23.42.162.112:443 tags.bkrtx.com tcp
US 35.244.174.68:443 idsync.rlcdn.com tcp
US 8.8.8.8:53 cdn.krxd.net udp
US 151.101.2.133:443 cdn.krxd.net tcp
FR 178.250.7.2:443 static.criteo.net tcp
US 8.8.8.8:53 6.233.99.104.in-addr.arpa udp
US 8.8.8.8:53 219.2.101.151.in-addr.arpa udp
US 8.8.8.8:53 102.202.31.52.in-addr.arpa udp
US 8.8.8.8:53 112.162.42.23.in-addr.arpa udp
US 8.8.8.8:53 68.174.244.35.in-addr.arpa udp
US 8.8.8.8:53 133.2.101.151.in-addr.arpa udp
US 8.8.8.8:53 78.249.20.23.in-addr.arpa udp
US 8.8.8.8:53 2.7.250.178.in-addr.arpa udp
US 8.8.8.8:53 privacyportal.onetrust.com udp
US 104.18.32.137:443 privacyportal.onetrust.com tcp
US 8.8.8.8:53 7764a3a1fa8e7a58344ad7c1be05a29e.safeframe.googlesyndication.com udp
NL 142.250.179.161:443 7764a3a1fa8e7a58344ad7c1be05a29e.safeframe.googlesyndication.com tcp
US 8.8.8.8:53 secure-us.imrworldwide.com udp
IE 52.51.139.185:443 secure-us.imrworldwide.com tcp
US 8.8.8.8:53 ookla-d.openx.net udp
US 8.8.8.8:53 js-sec.indexww.com udp
US 104.18.24.18:443 js-sec.indexww.com tcp
US 8.8.8.8:53 stats.g.doubleclick.net udp
US 8.8.8.8:53 eus.rubiconproject.com udp
NL 142.250.102.156:443 stats.g.doubleclick.net tcp
US 8.8.8.8:53 rp.liadm.com udp
US 8.8.8.8:53 tpc.googlesyndication.com udp
US 8.8.8.8:53 cdn-gl.imrworldwide.com udp
NL 142.251.36.1:443 tpc.googlesyndication.com tcp
US 52.71.139.182:443 rp.liadm.com tcp
NL 104.85.2.117:443 eus.rubiconproject.com tcp
US 34.98.64.218:443 ookla-d.openx.net tcp
NL 104.85.2.117:443 eus.rubiconproject.com tcp
US 52.71.139.182:443 rp.liadm.com tcp
NL 142.251.36.1:443 tpc.googlesyndication.com tcp
US 18.238.243.120:443 cdn-gl.imrworldwide.com tcp
US 8.8.8.8:53 161.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 185.139.51.52.in-addr.arpa udp
US 8.8.8.8:53 18.24.18.104.in-addr.arpa udp
US 8.8.8.8:53 156.102.250.142.in-addr.arpa udp
NL 142.251.36.1:443 tpc.googlesyndication.com udp
US 8.8.8.8:53 bee.imrworldwide.com udp
US 18.239.69.3:443 bee.imrworldwide.com tcp
US 8.8.8.8:53 1.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 117.2.85.104.in-addr.arpa udp
US 8.8.8.8:53 218.64.98.34.in-addr.arpa udp
US 8.8.8.8:53 120.243.238.18.in-addr.arpa udp
US 8.8.8.8:53 182.139.71.52.in-addr.arpa udp
US 8.8.8.8:53 cdn.ampproject.org udp
NL 142.250.179.161:443 cdn.ampproject.org tcp
NL 142.250.179.161:443 cdn.ampproject.org tcp
NL 142.250.179.161:443 cdn.ampproject.org tcp
NL 142.250.179.161:443 cdn.ampproject.org tcp
NL 142.250.179.161:443 cdn.ampproject.org tcp
NL 142.251.36.2:443 www.googletagservices.com udp
NL 142.250.179.161:443 cdn.ampproject.org udp
US 8.8.8.8:53 106.208.58.216.in-addr.arpa udp
US 142.250.145.155:443 securepubads.g.doubleclick.net udp
US 142.250.145.155:443 securepubads.g.doubleclick.net udp
US 8.8.8.8:53 analytics.google.com udp
US 216.239.38.181:443 analytics.google.com tcp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
NL 142.250.179.194:443 googleads.g.doubleclick.net tcp
US 8.8.8.8:53 cdn.doubleverify.com udp
NL 104.110.240.210:443 cdn.doubleverify.com tcp
NL 104.110.240.210:443 cdn.doubleverify.com tcp
NL 142.250.179.194:443 googleads.g.doubleclick.net udp
US 8.8.8.8:53 idx.liadm.com udp
US 54.145.133.156:443 idx.liadm.com tcp
US 8.8.8.8:53 181.38.239.216.in-addr.arpa udp
US 8.8.8.8:53 194.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 210.240.110.104.in-addr.arpa udp
US 8.8.8.8:53 rtb0.doubleverify.com udp
US 130.211.44.5:443 rtb0.doubleverify.com tcp
US 142.250.145.155:443 securepubads.g.doubleclick.net udp
US 8.8.8.8:53 131.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 156.133.145.54.in-addr.arpa udp
US 216.239.38.181:443 analytics.google.com udp
US 8.8.8.8:53 5.44.211.130.in-addr.arpa udp
US 8.8.8.8:53 match.adsrvr.org udp
US 52.223.40.198:443 match.adsrvr.org tcp
NL 185.80.233.178:8080 speedtest.novoserve.com.prod.hosts.ooklaserver.net tcp
US 8.8.8.8:53 tps.doubleverify.com udp
US 130.211.44.5:443 tps.doubleverify.com tcp
US 8.8.8.8:53 198.40.223.52.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 s0.2mdn.net udp
NL 142.250.179.134:443 s0.2mdn.net tcp
NL 142.250.179.134:443 s0.2mdn.net udp
US 8.8.8.8:53 googleads4.g.doubleclick.net udp
NL 142.251.36.34:443 googleads4.g.doubleclick.net tcp
US 8.8.8.8:53 198.23.217.172.in-addr.arpa udp
US 8.8.8.8:53 134.179.250.142.in-addr.arpa udp
NL 185.80.233.178:8080 speedtest.novoserve.com.prod.hosts.ooklaserver.net tcp
NL 185.80.233.178:8080 speedtest.novoserve.com.prod.hosts.ooklaserver.net tcp
NL 195.121.118.196:8080 speedtesta.kpn.com tcp
NL 185.65.134.2:8080 ams-eq6-tptest1.31173.se tcp
NL 185.167.97.105:8080 speedtest.eu.kamatera.com.prod.hosts.ooklaserver.net tcp
NL 142.251.36.34:443 googleads4.g.doubleclick.net udp
US 8.8.8.8:53 34.36.251.142.in-addr.arpa udp
NL 185.80.233.178:8080 speedtest.novoserve.com.prod.hosts.ooklaserver.net tcp
NL 195.121.118.196:8080 speedtesta.kpn.com tcp
US 8.8.8.8:53 dsum-sec.casalemedia.com udp
NL 185.65.134.2:8080 ams-eq6-tptest1.31173.se tcp
NL 185.65.134.2:8080 ams-eq6-tptest1.31173.se tcp
NL 185.167.97.105:8080 speedtest.eu.kamatera.com.prod.hosts.ooklaserver.net tcp
NL 185.80.233.178:8080 speedtest.novoserve.com.prod.hosts.ooklaserver.net tcp
NL 195.121.118.196:8080 speedtesta.kpn.com tcp
US 8.8.8.8:53 tpsc-ew1.doubleverify.com udp
US 130.211.44.5:443 tpsc-ew1.doubleverify.com tcp
US 104.18.27.193:443 dsum-sec.casalemedia.com udp
US 8.8.8.8:53 token.rubiconproject.com udp
NL 185.89.210.82:443 ib.adnxs.com tcp
NL 185.89.210.82:443 ib.adnxs.com tcp
NL 213.19.162.90:443 token.rubiconproject.com tcp
NL 213.19.162.90:443 token.rubiconproject.com tcp
US 8.8.8.8:53 x3rnqepyf6peobr97co5u1g5hzl5g1698074607.nuid.imrworldwide.com udp
US 18.239.83.90:443 x3rnqepyf6peobr97co5u1g5hzl5g1698074607.nuid.imrworldwide.com tcp
NL 185.167.97.105:8080 speedtest.eu.kamatera.com.prod.hosts.ooklaserver.net tcp
NL 185.80.233.178:8080 speedtest.novoserve.com.prod.hosts.ooklaserver.net tcp
NL 195.121.118.196:8080 speedtesta.kpn.com tcp
NL 185.65.134.2:8080 ams-eq6-tptest1.31173.se tcp
NL 185.167.97.105:8080 speedtest.eu.kamatera.com.prod.hosts.ooklaserver.net tcp
NL 185.80.233.178:8080 speedtest.novoserve.com.prod.hosts.ooklaserver.net tcp
NL 195.121.118.196:8080 speedtesta.kpn.com tcp
US 8.8.8.8:53 ade.googlesyndication.com udp
US 8.8.8.8:53 82.210.89.185.in-addr.arpa udp
US 8.8.8.8:53 90.162.19.213.in-addr.arpa udp
US 8.8.8.8:53 90.83.239.18.in-addr.arpa udp
GB 216.58.208.98:443 ade.googlesyndication.com tcp
US 8.8.8.8:53 98.208.58.216.in-addr.arpa udp
US 130.211.44.5:443 tpsc-ew1.doubleverify.com tcp
US 8.8.8.8:53 image6.pubmatic.com udp
NL 198.47.127.19:443 image6.pubmatic.com tcp
US 8.8.8.8:53 19.127.47.198.in-addr.arpa udp
US 8.8.8.8:53 47.21.80.104.in-addr.arpa udp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
US 8.8.8.8:53 161.19.199.152.in-addr.arpa udp
GB 146.19.230.52:4456 tcp
GB 146.19.230.52:4456 tcp
GB 146.19.230.52:3232 tcp
GB 146.19.230.52:4456 tcp
GB 146.19.230.52:3232 tcp
US 8.8.8.8:53 icanhazip.com udp
US 104.18.114.97:80 icanhazip.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 97.114.18.104.in-addr.arpa udp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 api.mylnikov.org udp
US 104.21.44.66:443 api.mylnikov.org tcp
US 8.8.8.8:53 66.44.21.104.in-addr.arpa udp
GB 146.19.230.52:4456 tcp
GB 146.19.230.52:3232 tcp
GB 146.19.230.52:4456 tcp
GB 146.19.230.52:3232 tcp
GB 146.19.230.52:3232 tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 pastebin.com udp
US 104.20.68.143:443 pastebin.com tcp
GB 146.19.230.52:3232 tcp
GB 146.19.230.52:4456 tcp
US 8.8.8.8:53 143.68.20.104.in-addr.arpa udp
GB 146.19.230.52:4456 tcp
GB 146.19.230.52:3232 tcp
GB 146.19.230.52:4456 tcp
GB 146.19.230.52:4456 tcp
GB 146.19.230.52:3232 tcp
GB 146.19.230.52:4456 tcp
GB 146.19.230.52:3232 tcp
GB 146.19.230.52:4456 tcp
GB 146.19.230.52:3232 tcp
GB 146.19.230.52:3232 tcp
GB 146.19.230.52:4456 tcp
GB 146.19.230.52:4456 tcp
GB 146.19.230.52:3232 tcp
GB 146.19.230.52:4456 tcp
GB 146.19.230.52:3232 tcp
GB 146.19.230.52:4456 tcp
GB 146.19.230.52:3232 tcp
GB 146.19.230.52:4456 tcp
GB 146.19.230.52:3232 tcp
GB 146.19.230.52:4456 tcp
GB 146.19.230.52:3232 tcp
GB 146.19.230.52:4456 tcp
GB 146.19.230.52:3232 tcp
GB 146.19.230.52:4456 tcp
GB 146.19.230.52:3232 tcp
GB 146.19.230.52:4456 tcp
GB 146.19.230.52:3232 tcp
GB 146.19.230.52:3232 tcp
GB 146.19.230.52:4456 tcp
GB 146.19.230.52:4456 tcp
GB 146.19.230.52:3232 tcp
GB 146.19.230.52:4456 tcp
GB 146.19.230.52:3232 tcp
GB 146.19.230.52:4456 tcp
GB 146.19.230.52:4456 tcp
GB 146.19.230.52:3232 tcp
GB 146.19.230.52:4456 tcp
GB 146.19.230.52:3232 tcp

Files

memory/5028-0-0x0000000000960000-0x0000000000976000-memory.dmp

memory/5028-1-0x00007FFDC26F0000-0x00007FFDC31B1000-memory.dmp

memory/5028-2-0x0000000002A00000-0x0000000002A10000-memory.dmp

memory/5028-7-0x00007FFDE0D10000-0x00007FFDE0F05000-memory.dmp

memory/5028-8-0x00007FFDC26F0000-0x00007FFDC31B1000-memory.dmp

memory/5028-9-0x00007FFDE0D10000-0x00007FFDE0F05000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp366.tmp.bat

MD5 45b0675d208b1d3d0112e192f9921399
SHA1 81fc92d006682e30bb7ddbc72e625109870780c6
SHA256 795b6a92e02da7332f2dc31badf9c66202f2e9bbd1a69c8a31c7938889264958
SHA512 263c1611ef8991ca604e42eb1899d6e90038bb44d14d927dc05538dbc76b124fce18a42deecdd08855096c4696003f29ebdf4175fdfd4284b287da0fe4405b63

C:\Users\Admin\AppData\Roaming\daemon.exe

MD5 6f92c594e253457f848f01bac27814d5
SHA1 9d29ff1372582e71bfcf37b9eba3063cc7febc08
SHA256 1f41ecd3c862c4957dc7e09fede95bddcf43ebcab44fe946d72ff6abb75d030a
SHA512 30573565a27010e037c06741577bf5fb5bf1069f518d81e9b62fc207968974a038a7f5dabbcd5a40f0fc0e2d0ecfab3aebe2e88ef5bbbf105c55d0edcaf7662c

C:\Users\Admin\AppData\Roaming\daemon.exe

MD5 6f92c594e253457f848f01bac27814d5
SHA1 9d29ff1372582e71bfcf37b9eba3063cc7febc08
SHA256 1f41ecd3c862c4957dc7e09fede95bddcf43ebcab44fe946d72ff6abb75d030a
SHA512 30573565a27010e037c06741577bf5fb5bf1069f518d81e9b62fc207968974a038a7f5dabbcd5a40f0fc0e2d0ecfab3aebe2e88ef5bbbf105c55d0edcaf7662c

memory/3596-14-0x00007FFDC26F0000-0x00007FFDC31B1000-memory.dmp

memory/3596-15-0x00007FFDE0D10000-0x00007FFDE0F05000-memory.dmp

memory/3596-16-0x00007FFDC26F0000-0x00007FFDC31B1000-memory.dmp

memory/3596-17-0x0000000001690000-0x00000000016A0000-memory.dmp

memory/3596-18-0x00007FFDE0D10000-0x00007FFDE0F05000-memory.dmp

memory/3596-19-0x000000001E0F0000-0x000000001E166000-memory.dmp

memory/3596-20-0x0000000002F40000-0x0000000002F74000-memory.dmp

memory/3596-21-0x000000001E070000-0x000000001E08E000-memory.dmp

memory/3596-22-0x000000001DD70000-0x000000001DD94000-memory.dmp

memory/3596-23-0x000000001DE90000-0x000000001DEAC000-memory.dmp

memory/3596-24-0x000000001DB70000-0x000000001DB8A000-memory.dmp

memory/3596-25-0x000000001C7C0000-0x000000001C7F2000-memory.dmp

memory/3596-26-0x000000001C6E0000-0x000000001C712000-memory.dmp

memory/332-28-0x00007FFDC26F0000-0x00007FFDC31B1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nxkz0khb.uro.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/332-34-0x00000202A8930000-0x00000202A8952000-memory.dmp

memory/332-40-0x00000202A8980000-0x00000202A8990000-memory.dmp

memory/332-39-0x00000202A8980000-0x00000202A8990000-memory.dmp

memory/332-41-0x00000202A8980000-0x00000202A8990000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ubiopn.exe

MD5 a463c96ab06522c82bf208e024dea808
SHA1 97f88b3f7369e2a6b4ebe984f2d5205bd42c8730
SHA256 f77b0622c90ed9b471255f247a329022811b39bfde2cfe8ed764faa169147aa6
SHA512 59238793842d50c4ee68cc8e8f85c82c871717d1c18bb924a932cb51ab9a786a3eeb4284b1b96da86196466c9446830687aef22b5d01db2ea706ee665d8ae8d3

C:\Users\Admin\AppData\Local\Temp\ubiopn.exe

MD5 a463c96ab06522c82bf208e024dea808
SHA1 97f88b3f7369e2a6b4ebe984f2d5205bd42c8730
SHA256 f77b0622c90ed9b471255f247a329022811b39bfde2cfe8ed764faa169147aa6
SHA512 59238793842d50c4ee68cc8e8f85c82c871717d1c18bb924a932cb51ab9a786a3eeb4284b1b96da86196466c9446830687aef22b5d01db2ea706ee665d8ae8d3

memory/2000-47-0x0000000000980000-0x0000000000992000-memory.dmp

memory/332-46-0x00007FFDC26F0000-0x00007FFDC31B1000-memory.dmp

memory/2000-48-0x0000000074E10000-0x00000000755C0000-memory.dmp

memory/2000-49-0x00000000051E0000-0x000000000527C000-memory.dmp

memory/2000-50-0x0000000005390000-0x00000000053A0000-memory.dmp

memory/2000-51-0x0000000005B50000-0x00000000060F4000-memory.dmp

memory/2000-52-0x0000000005640000-0x00000000056D2000-memory.dmp

C:\Windows\Dllhost.exe

MD5 a463c96ab06522c82bf208e024dea808
SHA1 97f88b3f7369e2a6b4ebe984f2d5205bd42c8730
SHA256 f77b0622c90ed9b471255f247a329022811b39bfde2cfe8ed764faa169147aa6
SHA512 59238793842d50c4ee68cc8e8f85c82c871717d1c18bb924a932cb51ab9a786a3eeb4284b1b96da86196466c9446830687aef22b5d01db2ea706ee665d8ae8d3

C:\Windows\Dllhost.exe

MD5 a463c96ab06522c82bf208e024dea808
SHA1 97f88b3f7369e2a6b4ebe984f2d5205bd42c8730
SHA256 f77b0622c90ed9b471255f247a329022811b39bfde2cfe8ed764faa169147aa6
SHA512 59238793842d50c4ee68cc8e8f85c82c871717d1c18bb924a932cb51ab9a786a3eeb4284b1b96da86196466c9446830687aef22b5d01db2ea706ee665d8ae8d3

C:\Windows\Dllhost.exe

MD5 a463c96ab06522c82bf208e024dea808
SHA1 97f88b3f7369e2a6b4ebe984f2d5205bd42c8730
SHA256 f77b0622c90ed9b471255f247a329022811b39bfde2cfe8ed764faa169147aa6
SHA512 59238793842d50c4ee68cc8e8f85c82c871717d1c18bb924a932cb51ab9a786a3eeb4284b1b96da86196466c9446830687aef22b5d01db2ea706ee665d8ae8d3

memory/3540-63-0x0000000074E10000-0x00000000755C0000-memory.dmp

memory/2000-62-0x0000000074E10000-0x00000000755C0000-memory.dmp

memory/3540-64-0x0000000000E40000-0x0000000000E50000-memory.dmp

memory/3540-66-0x0000000005110000-0x000000000511A000-memory.dmp

memory/3540-67-0x00000000053A0000-0x0000000005406000-memory.dmp

memory/3540-68-0x0000000074E10000-0x00000000755C0000-memory.dmp

memory/3540-69-0x00000000062A0000-0x00000000062B8000-memory.dmp

memory/3540-70-0x0000000000E40000-0x0000000000E50000-memory.dmp

memory/3540-71-0x00000000063C0000-0x00000000063CA000-memory.dmp

\??\pipe\crashpad_3156_YELLJUSWXHYJBOSE

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 8fb62f36defde9d06e3f9460a444aa64
SHA1 de10b9f36561d7e491fd7e6dec1f48b5a912d403
SHA256 e7c0d4917ef869c5c2f7985d5bd7505b11e8eadd6a6badc4c775400bd2d218e4
SHA512 2044211b628b4bfec1cbd2024bf2a5fb523887f50b31661d1526c10eaebf73feb5f9b0d4da8eb421c21c2a675fc214e3679dcf72cacd6cf46c3857aa5d863e86

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 1a528de544406313a6d7a5e47c67fb46
SHA1 0194f3b049e572dd724a835b6bfe207213c7c429
SHA256 7f3ade6532fd1b0f443ec595264a8906a670c22f79a7c24c2ce5796886dbc424
SHA512 101e032633b07231a39bf1f821569b51231e785f6f3d65313e5be5aff99421de36c149d5e3ef70b5ab40254607c6cf074fdcfb73b5ed18a453628cec014be877

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 32c398ec30175351b426f3b87423812f
SHA1 ed8eef6cb2b5c597ebfe053d878562c4daa5d82b
SHA256 88031992d3c270f810b3a4d00f9c0b618f62e4c2c78106139e72b20ba06b5623
SHA512 d7573c3990999eb3b94f815bd57608a84cbe65187d2025e4df9b357b6f50c5d373b59b93302c074989812a260d3cc4697e725066c0ee2fe29547bdc04c951dfc

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

MD5 99914b932bd37a50b983c5e7c90ae93b
SHA1 bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA256 44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA512 27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 f6cb7ea41f05db0529370f044a9ce583
SHA1 2add3a58ed4eb1b5f8ac35eb407ac4ab6a18670e
SHA256 68d49014ae66ae418110014558dad279c108e05efc1233b5fc27723ee489d9fc
SHA512 fcf124f6eb9a6ddd7f44bdbc228dd3063c83640e96939e0b453e6d098cde71ec4c4baed3e68aa3bd01841c6675f8b8d48def8ec7f8fcae71ddec5666e7f65aa6

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 5238faa390b9aa1e362922f8c681a87a
SHA1 ab9376a0c11b423b0eb8b4498966bd060008fa1b
SHA256 fc67c8b9e36e272de5c69373be4ef46df5ec923ad81859231dcdeeb0325cd9c1
SHA512 b3a6c8cf17096f51397894f5748afb871e52aa5e7f78b8d61dca529e3a7368ad86fde58bae65cf8e8b053fadb64ac42e0ffeb10e5816ea41a5ecbbf6a5b6059a

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\3d15fe58-6b30-4440-b56a-9328ffeea114.tmp

MD5 795015f142709fa6089b2321d47d2486
SHA1 9bee09b441ededcaeb74dc4ce1fe093764b1014d
SHA256 2ad352af06f99e3ca85b9a76d2df974c26e22f7f6628d4bc30649246dafe17ef
SHA512 26f3738ea3c38a6cf30a6ac7582e26313b8a9a27d3b6e48f6e09b3c16d58d4320e588586c4dfb7346bb02f62273c914542b642f6f3886433989a4b59be1db95d

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 4a6ae5cdd48991abea116fcdbb96b53d
SHA1 ae5449643a0c7c5ac793affaa433c8b51dc091be
SHA256 944bf43318a9eb6e1d998286c3a65fdc12bb774dcb8f2f2b770f741bde913e65
SHA512 bd52d762db07621901655c68936d10eee8a2117bff8135877601b63adee747f88b81859009bbdbc9acd963a5f364ac222e0f3d2197f04cb2da230b5cc5b43b42

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 2dcf57b271b282eeb5f0ccb68f143fd0
SHA1 31f812f21201f38f90e25e20509fecab46248a17
SHA256 a04b529525bc328d5ea870a15f7eb10216d5e9ae4d2a01afa5bde57fa8f21571
SHA512 34aa79eba566eb8000ec01239a313d78fc5b92d1dcddd812b8506f1b9c4a4e478914b6e9fd0f04a7f1b825633de1304e96d0d479f9441103b6617862bbecbaec

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 b7b68b1e6904a475329199ba5b926943
SHA1 82cc83a3f9ce03c3d78a1a95a16f9bb8c0bbdf1d
SHA256 1341cf9ff429ba2ee8977987219b85727ac8662697d33e5c94f4cb26e5114289
SHA512 8dc00599bb896e13b50e810c1ca3a708ddaf6c68312085335641fcd3bb9ba3db02382614d54c3785c2b202d8a4b0970ab7f4d0c63ece3ca86eacb96c6058b55e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

MD5 cabd903700714207c7fd8cc5396a4ad4
SHA1 71eed2eb47a1cf063cf9f3f7fa53c5f1baf14f0d
SHA256 7a1c38177694d4bd0a89a19694a630e6969cd1a38249b6c217695405d46f505e
SHA512 839a2868b2052fa2b79ee302fb6ade36edcd1420989b873df865703388f2ab2394380585252848f4dfd04b2308d6b6f8e320e6bb1e05791bd7b078402a61461a

memory/3540-561-0x0000000006510000-0x0000000006526000-memory.dmp

memory/3540-568-0x00000000067A0000-0x00000000067B2000-memory.dmp

memory/3540-569-0x00000000009D0000-0x0000000000A16000-memory.dmp

memory/3920-570-0x0000000000400000-0x0000000000472000-memory.dmp

memory/3920-572-0x0000000000400000-0x0000000000472000-memory.dmp

memory/3920-574-0x0000000000400000-0x0000000000472000-memory.dmp

memory/3920-579-0x0000000000400000-0x0000000000472000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3552883

MD5 4f0f313d090a031e7bfffba76d78ecab
SHA1 0d577bc0155b493820fb9fd842e3dde629b90459
SHA256 a7546c5d43a26481aae0052942b9a7cdcfa3a5a8452c535fcbe0c62cd1df005e
SHA512 51824c60159f4ed3023af2a00dacb7889dad1efeae30cdd515bf16b456c610e0b83d4d326edc75b2eb925d510b36180e147b5bb54ccd2f102fe449676d223693

memory/3596-585-0x000000001EDD0000-0x000000001EEF2000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 795015f142709fa6089b2321d47d2486
SHA1 9bee09b441ededcaeb74dc4ce1fe093764b1014d
SHA256 2ad352af06f99e3ca85b9a76d2df974c26e22f7f6628d4bc30649246dafe17ef
SHA512 26f3738ea3c38a6cf30a6ac7582e26313b8a9a27d3b6e48f6e09b3c16d58d4320e588586c4dfb7346bb02f62273c914542b642f6f3886433989a4b59be1db95d

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies

MD5 5819f7d446fa6567376fc40af5a6496f
SHA1 a80be4c53ef2ddaf0e725bc1c335f442c573130a
SHA256 57417cefd9e1d1d057461b1ff3505369f52e258ed9c48820f8c7b21260a7256b
SHA512 367a54f96c337315b5f9f1f579e0c392e83dbf8833db46d29b7ff05f541b7752a925da9a4ac58106a9338c016464b87d29cddafe7935afcc2c76f99c90fd45b9

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\History

MD5 08c1405bb88892c6b11cab3ac01aea48
SHA1 fdf9ebf1f5d224c09367d137b2058af516d2b189
SHA256 aa2631f8a8c28d797cb41c1be7367a35d49e824f0a3e0e36664c1fdafbdaf4e5
SHA512 7f20070b3c185d3cdda799076ec53c8a76efb3d4304d068b4a47a244a5cade2adf6f2c2f21c5c645682fc1243ad245d41533f5e3c86cb48756fbb725ea7abc3b

C:\Users\Admin\AppData\Local\Temp\tmp6931.tmp.dat

MD5 a1916d46bdcfc6da28e7264e80531a25
SHA1 65680db48ad5945daabbe130a1f71d11b7203466
SHA256 1dda7ecfe80d22c8f009e1ba936263836bedfbd361c0c22d25651e6a8c604366
SHA512 564966772c3b2b33539bfa0a64da13150b9a980af061870a5e02d2a69836a52baef34b7cfe0d1833076cabb62ce92f3aaa89439adafe8496b71a43396eeba740

C:\Users\Admin\AppData\Local\Temp\tmp6932.tmp.dat

MD5 02d2c46697e3714e49f46b680b9a6b83
SHA1 84f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256 522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA512 60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

C:\Users\Admin\AppData\Local\Temp\places.raw

MD5 c65a5ec2f7cb73f8b07a7a4c2b4d0dd7
SHA1 ec48f83662a188a8e781eb1064d5e9742eea805c
SHA256 808bef1d0266bd27eb035b1cde7a60155b98dab7f7a784d3cef0af8e0d8a5f78
SHA512 bcc6e5e824fec004e7aa9b44148937fe2469a590dad102aee39444784451d4e9cec25d8cb98b21cfeebd8e56f3f6c984a4d8e336fbeca6bc2b10ba3b3a69df45

C:\Users\Admin\AppData\Local\Temp\tmp6944.tmp.dat

MD5 08c1405bb88892c6b11cab3ac01aea48
SHA1 fdf9ebf1f5d224c09367d137b2058af516d2b189
SHA256 aa2631f8a8c28d797cb41c1be7367a35d49e824f0a3e0e36664c1fdafbdaf4e5
SHA512 7f20070b3c185d3cdda799076ec53c8a76efb3d4304d068b4a47a244a5cade2adf6f2c2f21c5c645682fc1243ad245d41533f5e3c86cb48756fbb725ea7abc3b

C:\Users\Admin\AppData\Local\Temp\tmp6933.tmp.dat

MD5 5819f7d446fa6567376fc40af5a6496f
SHA1 a80be4c53ef2ddaf0e725bc1c335f442c573130a
SHA256 57417cefd9e1d1d057461b1ff3505369f52e258ed9c48820f8c7b21260a7256b
SHA512 367a54f96c337315b5f9f1f579e0c392e83dbf8833db46d29b7ff05f541b7752a925da9a4ac58106a9338c016464b87d29cddafe7935afcc2c76f99c90fd45b9

C:\Users\Admin\AppData\Local\Temp\tmp69AB.tmp.dat

MD5 d367ddfda80fdcf578726bc3b0bc3e3c
SHA1 23fcd5e4e0e5e296bee7e5224a8404ecd92cf671
SHA256 0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0
SHA512 40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

memory/3596-708-0x000000001EEF0000-0x000000001F078000-memory.dmp

memory/3596-713-0x00000000013D0000-0x00000000013DA000-memory.dmp

C:\Users\Admin\AppData\Local\d393223438ae649f98d07ac4eab53931\Admin@TPTLJPNX_en-US\Browsers\Mozilla\Firefox\Bookmarks.txt

MD5 2e9d094dda5cdc3ce6519f75943a4ff4
SHA1 5d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256 c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512 d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

C:\Users\Admin\AppData\Local\d393223438ae649f98d07ac4eab53931\Admin@TPTLJPNX_en-US\System\Process.txt

MD5 c45e92b49cefd822dcad5307b93742b9
SHA1 6f177e99d7ba3da15a9d48f7501b9852e5aae5cf
SHA256 594dffe5b5babf5dabec1c3e44eecd82e08a5cfab7bdfec036e215edc1ff254d
SHA512 1589ca8ff5b8772cb46ed35f9c86909ce417dc41c8f1c7e7a93775049c76de3e774e87b66a0d4b6c0394d608a9c9a1207355d9f675185bb86813b44cd38edc01

C:\Users\Admin\AppData\Local\d393223438ae649f98d07ac4eab53931\Admin@TPTLJPNX_en-US\System\Process.txt

MD5 6bd0f1a45810883d075cef9c02545103
SHA1 3596130fb98ab71914a3cfa34da3fb3d89eabd98
SHA256 6705e7a6079f141a6af87e416d04c2d18d48baaa6820780baae424beabdeda04
SHA512 4bcb0dd32f681c71f3e3591810e7928315485283cbc975fadf08b1a0ec2c9ec74cd2f67a66a143f52f6aaa9659ad7cd7931d908848082353d2f4192b3a0881f8

C:\Users\Admin\AppData\Local\d393223438ae649f98d07ac4eab53931\Admin@TPTLJPNX_en-US\System\Process.txt

MD5 529ea0290ba5b3b0ae6395fe76702246
SHA1 c68402680ae9c02bf950df0fb32f13203d45a3fe
SHA256 98337f6a4f06c3c67eb49eefc9dd2fb9a7f91c04825f8bfb8f3dd659e98b05fa
SHA512 80ef1e2ba3374897c7f08fe4a24de19cce6eb9422ffdaf084cba89e9e8c2084fae1987bb2cd7524a6710ee41f0ae0a4a91f23a27f1468a2d8cc22b224e90982c

C:\Users\Admin\AppData\Local\d393223438ae649f98d07ac4eab53931\Admin@TPTLJPNX_en-US\System\Process.txt

MD5 3090c96f7d51f90d0bafa5192f95669b
SHA1 e525c67bdbc7085d2b999da9505526d9f0dbee87
SHA256 6d00150f81bf508bedd06988f8cde6a310092951062a141cf204f37d5df9d452
SHA512 b5793d515d65cfc64ebe449aaa3e0e23f032b5700bcfa9f5241157d22b39d5041e2b826420fe324bdfc4295b4e023f2de83760b7ee2c7d1a24f8c733c43a621f

C:\Users\Admin\AppData\Local\d393223438ae649f98d07ac4eab53931\Admin@TPTLJPNX_en-US\System\Process.txt

MD5 f4b1d92405ca45b7ad0b0afaebe6b28d
SHA1 546703100a113153d439abba13951d21feb5bccd
SHA256 32cdefd333f5f9fcb0d548abbe5aa9fdc521ccd9095de77ab70dfe605e6bb9c7
SHA512 e1b0aeb701eded20e6cce84dac7d1814ea1b6796e7bb6418ce4bd9f4708b41b914f42c22bb201d139da58be3925a40121705f92b699c9b4ec40e46165c7d973c

C:\Users\Admin\AppData\Local\d393223438ae649f98d07ac4eab53931\Admin@TPTLJPNX_en-US\System\Process.txt

MD5 ddb12b5a703d028d1db9049fcd1c9389
SHA1 e18f1cbe3d92d7b4569d8e4eb625a3da80cd8fc4
SHA256 65cac3ed6fb71250d187d27b065233b5f469dbb252a6f973e8760962c5dd17db
SHA512 f5cdfa20e8216247e1472c6389b6fef8523d0465ac287c4b797e87f3035ed3fec2f9c712975e775a22f247cebe582ae57a4c47c0072512693fa89c2b488efab2

C:\Users\Admin\AppData\Local\d393223438ae649f98d07ac4eab53931\Admin@TPTLJPNX_en-US\System\Process.txt

MD5 b29c299302f6bf152e97f54c7dfc1d6f
SHA1 24fc81371958de96f0fd17a68c3239004e30dd6b
SHA256 bec2381ab2269615dfa991b28d37c45cce04ee6e2ca99828208ed3ce247db028
SHA512 bd3715d0497db6d7a47c94a3d32f8f128ad9911a467dcbcda456d1f3b4dfb77c2b0ab6edaa5f0a2d5987c2a60cdc08d54e245955f05a7c699fe826327d7a92fd

memory/3596-853-0x0000000001690000-0x00000000016A0000-memory.dmp

memory/3596-854-0x0000000001690000-0x00000000016A0000-memory.dmp

memory/3596-866-0x000000001C4C0000-0x000000001C53A000-memory.dmp

memory/3596-904-0x0000000001690000-0x00000000016A0000-memory.dmp

memory/3596-905-0x0000000001690000-0x00000000016A0000-memory.dmp