Analysis

  • max time kernel
    995s
  • max time network
    1001s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231127-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/12/2023, 14:13

General

  • Target

    SLOVOPACANA.exe

  • Size

    1.2MB

  • MD5

    cd027faaa16d14fe7aa370c8057225d5

  • SHA1

    0054f01d667b7e75c5a255f8ee4d77b177373c08

  • SHA256

    c248d6ee2cf5cd6ca386c7a358abdd8ec408c6a63f998f22cbf896809568d90f

  • SHA512

    ac7bd57bc19ccca405027135ef07a7f475286ed96c00479eebccf725edda6c8ba94e91268aa8e0e812e15dd206f30dd30512ab99b6f8bd0b5ee6e7b26f042751

  • SSDEEP

    24576:g2G/nvxW3WfvxgCEe8FjqoCsq9/a75E6PyKP7g2:gbA3BCDujl0+2Y

Score
10/10

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Process spawned unexpected child process 57 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 14 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 22 IoCs
  • Drops file in Program Files directory 8 IoCs
  • Drops file in Windows directory 11 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 57 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Enumerates system info in registry 2 TTPs 6 IoCs
  • Kills process with taskkill 1 IoCs
  • Modifies data under HKEY_USERS 3 IoCs
  • Modifies registry class 64 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 35 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 53 IoCs
  • Suspicious use of SendNotifyMessage 48 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\SLOVOPACANA.exe
    "C:\Users\Admin\AppData\Local\Temp\SLOVOPACANA.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4704
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\ComAgentSession\J1Z3KeWJB1lM.vbe"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:868
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\ComAgentSession\FU70pek1lKzqNpW.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4504
        • C:\ComAgentSession\blockbroker.exe
          "C:\ComAgentSession\blockbroker.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1796
          • C:\Windows\Downloaded Program Files\winlogon.exe
            "C:\Windows\Downloaded Program Files\winlogon.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3780
            • C:\Windows\SYSTEM32\cmd.exe
              "cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\\3gUlVaPHfz.bat"
              6⤵
                PID:4424
              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\owd0vlhs\owd0vlhs.cmdline"
                6⤵
                • Suspicious use of WriteProcessMemory
                PID:4984
                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD994.tmp" "c:\Users\Admin\AppData\Local\Temp\owd0vlhs\CSC9EB42EC220444172B7EAC49DE9996981.TMP"
                  7⤵
                    PID:2764
                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wl1t251s\wl1t251s.cmdline"
                  6⤵
                    PID:1040
                  • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ezapyabp\ezapyabp.cmdline"
                    6⤵
                      PID:1224
                      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1264.tmp" "c:\Users\Admin\AppData\Local\Temp\ezapyabp\CSC8743270E222B43319E1254467B67EFC.TMP"
                        7⤵
                          PID:1404
                      • C:\Windows\System32\cmd.exe
                        "C:\Windows\System32\cmd.exe" /c reg add HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem /v DisableTaskMgr /t REG_DWORD /d 1 /f & taskkill /f /im taskmgr.exe
                        6⤵
                          PID:4064
                          • C:\Windows\system32\reg.exe
                            reg add HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem /v DisableTaskMgr /t REG_DWORD /d 1 /f
                            7⤵
                            • Modifies registry key
                            PID:4208
                          • C:\Windows\system32\taskkill.exe
                            taskkill /f /im taskmgr.exe
                            7⤵
                            • Kills process with taskkill
                            PID:4528
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /f
                1⤵
                • Process spawned unexpected child process
                • Creates scheduled task(s)
                PID:628
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Creates scheduled task(s)
                PID:4412
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Creates scheduled task(s)
                PID:4924
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Security\sppsvc.exe'" /f
                1⤵
                • Process spawned unexpected child process
                • Creates scheduled task(s)
                PID:1008
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Windows Security\sppsvc.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Creates scheduled task(s)
                PID:4072
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Security\sppsvc.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Creates scheduled task(s)
                PID:2016
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /f
                1⤵
                • Process spawned unexpected child process
                • Creates scheduled task(s)
                PID:1984
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Creates scheduled task(s)
                PID:1404
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Creates scheduled task(s)
                PID:4868
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\Windows\Offline Web Pages\sihost.exe'" /f
                1⤵
                • Process spawned unexpected child process
                • Creates scheduled task(s)
                PID:788
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Windows\Offline Web Pages\sihost.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Creates scheduled task(s)
                PID:212
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 8 /tr "'C:\Windows\Offline Web Pages\sihost.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Creates scheduled task(s)
                PID:1504
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Users\Public\AccountPictures\sppsvc.exe'" /f
                1⤵
                • Process spawned unexpected child process
                • Creates scheduled task(s)
                PID:4252
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Public\AccountPictures\sppsvc.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Creates scheduled task(s)
                PID:4652
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Users\Public\AccountPictures\sppsvc.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Creates scheduled task(s)
                PID:2632
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\Windows\DiagTrack\Settings\StartMenuExperienceHost.exe'" /f
                1⤵
                • Process spawned unexpected child process
                • Creates scheduled task(s)
                PID:4464
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Windows\DiagTrack\Settings\StartMenuExperienceHost.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Creates scheduled task(s)
                PID:4852
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\Windows\DiagTrack\Settings\StartMenuExperienceHost.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Creates scheduled task(s)
                PID:2232
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Windows\PolicyDefinitions\it-IT\sppsvc.exe'" /f
                1⤵
                • Process spawned unexpected child process
                • Creates scheduled task(s)
                PID:1604
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\PolicyDefinitions\it-IT\sppsvc.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Creates scheduled task(s)
                PID:2612
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Windows\PolicyDefinitions\it-IT\sppsvc.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Creates scheduled task(s)
                PID:3956
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /f
                1⤵
                • Process spawned unexpected child process
                • Creates scheduled task(s)
                PID:2416
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Creates scheduled task(s)
                PID:5004
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Creates scheduled task(s)
                PID:4348
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /f
                1⤵
                • Process spawned unexpected child process
                • Creates scheduled task(s)
                PID:936
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Creates scheduled task(s)
                PID:4260
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Creates scheduled task(s)
                PID:4400
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\OfficeClickToRun.exe'" /f
                1⤵
                • Process spawned unexpected child process
                • Creates scheduled task(s)
                PID:2340
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\OfficeClickToRun.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Creates scheduled task(s)
                PID:4836
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\OfficeClickToRun.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Creates scheduled task(s)
                PID:3104
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Windows\Downloaded Program Files\winlogon.exe'" /f
                1⤵
                • Process spawned unexpected child process
                • Creates scheduled task(s)
                PID:960
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\Downloaded Program Files\winlogon.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Creates scheduled task(s)
                PID:3012
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Windows\Downloaded Program Files\winlogon.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Creates scheduled task(s)
                PID:552
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\TrustedInstaller.exe'" /f
                1⤵
                • Process spawned unexpected child process
                • Creates scheduled task(s)
                PID:1356
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "TrustedInstaller" /sc ONLOGON /tr "'C:\Users\Default User\TrustedInstaller.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Creates scheduled task(s)
                PID:3292
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\TrustedInstaller.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Creates scheduled task(s)
                PID:1744
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\TextInputHost.exe'" /f
                1⤵
                • Process spawned unexpected child process
                • Creates scheduled task(s)
                PID:2972
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\TextInputHost.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Creates scheduled task(s)
                PID:1444
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\TextInputHost.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Creates scheduled task(s)
                PID:3464
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /f
                1⤵
                • Process spawned unexpected child process
                • Creates scheduled task(s)
                PID:3568
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Creates scheduled task(s)
                PID:2040
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Creates scheduled task(s)
                PID:384
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Windows\Fonts\sppsvc.exe'" /f
                1⤵
                • Process spawned unexpected child process
                • Creates scheduled task(s)
                PID:5080
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\Fonts\sppsvc.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Creates scheduled task(s)
                PID:3904
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Windows\Fonts\sppsvc.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Creates scheduled task(s)
                PID:3048
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
                1⤵
                • Process spawned unexpected child process
                • Creates scheduled task(s)
                PID:2556
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Creates scheduled task(s)
                PID:664
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Creates scheduled task(s)
                PID:4500
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 6 /tr "'C:\odt\SearchApp.exe'" /f
                1⤵
                • Process spawned unexpected child process
                • Creates scheduled task(s)
                PID:1112
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\odt\SearchApp.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Creates scheduled task(s)
                PID:4568
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 6 /tr "'C:\odt\SearchApp.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Creates scheduled task(s)
                PID:1468
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "blockbrokerb" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\blockbroker.exe'" /f
                1⤵
                • Process spawned unexpected child process
                • Creates scheduled task(s)
                PID:1008
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "blockbroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\blockbroker.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Creates scheduled task(s)
                PID:2016
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "blockbrokerb" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\blockbroker.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Creates scheduled task(s)
                PID:1984
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\dllhost.exe'" /f
                1⤵
                • Process spawned unexpected child process
                • Creates scheduled task(s)
                PID:4332
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\dllhost.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Creates scheduled task(s)
                PID:532
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\dllhost.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Creates scheduled task(s)
                PID:3228
              • C:\Windows\system32\rundll32.exe
                "C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
                1⤵
                  PID:5032
                • C:\Windows\System32\svchost.exe
                  C:\Windows\System32\svchost.exe -k UnistackSvcGroup
                  1⤵
                  • Suspicious use of AdjustPrivilegeToken
                  PID:512
                • C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\OfficeClickToRun.exe
                  "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\OfficeClickToRun.exe"
                  1⤵
                  • Executes dropped EXE
                  • Suspicious use of AdjustPrivilegeToken
                  PID:744
                • C:\odt\SearchApp.exe
                  C:\odt\SearchApp.exe
                  1⤵
                  • Executes dropped EXE
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2844
                • C:\Windows\DiagTrack\Settings\StartMenuExperienceHost.exe
                  C:\Windows\DiagTrack\Settings\StartMenuExperienceHost.exe
                  1⤵
                  • Executes dropped EXE
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1244
                • C:\Program Files (x86)\Microsoft.NET\RedistList\TextInputHost.exe
                  "C:\Program Files (x86)\Microsoft.NET\RedistList\TextInputHost.exe"
                  1⤵
                  • Executes dropped EXE
                  • Suspicious use of AdjustPrivilegeToken
                  PID:788
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe"
                  1⤵
                  • Enumerates system info in registry
                  • Modifies data under HKEY_USERS
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of FindShellTrayWindow
                  • Suspicious use of SendNotifyMessage
                  • Suspicious use of WriteProcessMemory
                  PID:4540
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffb132c9758,0x7ffb132c9768,0x7ffb132c9778
                    2⤵
                      PID:2824
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1736 --field-trial-handle=1820,i,3329001855101908166,9547700532015157804,131072 /prefetch:2
                      2⤵
                        PID:1120
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2224 --field-trial-handle=1820,i,3329001855101908166,9547700532015157804,131072 /prefetch:8
                        2⤵
                          PID:4064
                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 --field-trial-handle=1820,i,3329001855101908166,9547700532015157804,131072 /prefetch:8
                          2⤵
                            PID:3188
                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3144 --field-trial-handle=1820,i,3329001855101908166,9547700532015157804,131072 /prefetch:1
                            2⤵
                              PID:2104
                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3136 --field-trial-handle=1820,i,3329001855101908166,9547700532015157804,131072 /prefetch:1
                              2⤵
                                PID:1064
                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4672 --field-trial-handle=1820,i,3329001855101908166,9547700532015157804,131072 /prefetch:1
                                2⤵
                                  PID:844
                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3808 --field-trial-handle=1820,i,3329001855101908166,9547700532015157804,131072 /prefetch:8
                                  2⤵
                                    PID:4668
                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4996 --field-trial-handle=1820,i,3329001855101908166,9547700532015157804,131072 /prefetch:8
                                    2⤵
                                      PID:3964
                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5028 --field-trial-handle=1820,i,3329001855101908166,9547700532015157804,131072 /prefetch:8
                                      2⤵
                                        PID:3240
                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5284 --field-trial-handle=1820,i,3329001855101908166,9547700532015157804,131072 /prefetch:8
                                        2⤵
                                          PID:1868
                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5060 --field-trial-handle=1820,i,3329001855101908166,9547700532015157804,131072 /prefetch:8
                                          2⤵
                                            PID:4836
                                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4856 --field-trial-handle=1820,i,3329001855101908166,9547700532015157804,131072 /prefetch:8
                                            2⤵
                                              PID:1800
                                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4856 --field-trial-handle=1820,i,3329001855101908166,9547700532015157804,131072 /prefetch:8
                                              2⤵
                                                PID:3764
                                            • C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
                                              "C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
                                              1⤵
                                                PID:1604
                                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                "C:\Program Files\Google\Chrome\Application\chrome.exe"
                                                1⤵
                                                • Enumerates system info in registry
                                                • Modifies data under HKEY_USERS
                                                • Suspicious behavior: EnumeratesProcesses
                                                • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
                                                • Suspicious use of AdjustPrivilegeToken
                                                • Suspicious use of FindShellTrayWindow
                                                • Suspicious use of SendNotifyMessage
                                                PID:2924
                                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb132c9758,0x7ffb132c9768,0x7ffb132c9778
                                                  2⤵
                                                    PID:2292
                                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2168 --field-trial-handle=2016,i,5877464910147344589,12209923414115929204,131072 /prefetch:8
                                                    2⤵
                                                      PID:2832
                                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2880 --field-trial-handle=2016,i,5877464910147344589,12209923414115929204,131072 /prefetch:1
                                                      2⤵
                                                        PID:2424
                                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2872 --field-trial-handle=2016,i,5877464910147344589,12209923414115929204,131072 /prefetch:1
                                                        2⤵
                                                          PID:3376
                                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1904 --field-trial-handle=2016,i,5877464910147344589,12209923414115929204,131072 /prefetch:8
                                                          2⤵
                                                            PID:4484
                                                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1684 --field-trial-handle=2016,i,5877464910147344589,12209923414115929204,131072 /prefetch:2
                                                            2⤵
                                                              PID:2960
                                                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4608 --field-trial-handle=2016,i,5877464910147344589,12209923414115929204,131072 /prefetch:8
                                                              2⤵
                                                                PID:4544
                                                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4732 --field-trial-handle=2016,i,5877464910147344589,12209923414115929204,131072 /prefetch:1
                                                                2⤵
                                                                  PID:4068
                                                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4892 --field-trial-handle=2016,i,5877464910147344589,12209923414115929204,131072 /prefetch:8
                                                                  2⤵
                                                                    PID:3448
                                                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4676 --field-trial-handle=2016,i,5877464910147344589,12209923414115929204,131072 /prefetch:8
                                                                    2⤵
                                                                      PID:5024
                                                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4584 --field-trial-handle=2016,i,5877464910147344589,12209923414115929204,131072 /prefetch:8
                                                                      2⤵
                                                                        PID:4632
                                                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4940 --field-trial-handle=2016,i,5877464910147344589,12209923414115929204,131072 /prefetch:8
                                                                        2⤵
                                                                          PID:4384
                                                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5248 --field-trial-handle=2016,i,5877464910147344589,12209923414115929204,131072 /prefetch:8
                                                                          2⤵
                                                                            PID:2236
                                                                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4700 --field-trial-handle=2016,i,5877464910147344589,12209923414115929204,131072 /prefetch:8
                                                                            2⤵
                                                                              PID:4208
                                                                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1812 --field-trial-handle=2016,i,5877464910147344589,12209923414115929204,131072 /prefetch:2
                                                                              2⤵
                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                              PID:884
                                                                          • C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
                                                                            "C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
                                                                            1⤵
                                                                              PID:1800
                                                                            • C:\Windows\Offline Web Pages\sihost.exe
                                                                              "C:\Windows\Offline Web Pages\sihost.exe"
                                                                              1⤵
                                                                              • Executes dropped EXE
                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                              PID:2956
                                                                            • C:\Windows\system32\mspaint.exe
                                                                              "C:\Windows\system32\mspaint.exe"
                                                                              1⤵
                                                                              • Drops file in Windows directory
                                                                              • Modifies registry class
                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                              • Suspicious use of SetWindowsHookEx
                                                                              PID:4692
                                                                            • C:\Windows\system32\svchost.exe
                                                                              C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
                                                                              1⤵
                                                                                PID:784
                                                                                • C:\Windows\system32\dashost.exe
                                                                                  dashost.exe {7a9b72e2-86d9-4028-8c086fd90d6660f6}
                                                                                  2⤵
                                                                                    PID:2144
                                                                                • C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\OfficeClickToRun.exe
                                                                                  "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\OfficeClickToRun.exe"
                                                                                  1⤵
                                                                                  • Executes dropped EXE
                                                                                  PID:376
                                                                                • C:\Recovery\WindowsRE\csrss.exe
                                                                                  C:\Recovery\WindowsRE\csrss.exe
                                                                                  1⤵
                                                                                  • Executes dropped EXE
                                                                                  PID:3092
                                                                                • C:\Program Files (x86)\Windows Photo Viewer\ja-JP\dllhost.exe
                                                                                  "C:\Program Files (x86)\Windows Photo Viewer\ja-JP\dllhost.exe"
                                                                                  1⤵
                                                                                  • Executes dropped EXE
                                                                                  PID:2988
                                                                                • C:\Recovery\WindowsRE\blockbroker.exe
                                                                                  C:\Recovery\WindowsRE\blockbroker.exe
                                                                                  1⤵
                                                                                  • Executes dropped EXE
                                                                                  PID:4032
                                                                                • C:\Users\Default User\TrustedInstaller.exe
                                                                                  "C:\Users\Default User\TrustedInstaller.exe"
                                                                                  1⤵
                                                                                  • Executes dropped EXE
                                                                                  PID:1788
                                                                                • C:\Windows\DiagTrack\Settings\StartMenuExperienceHost.exe
                                                                                  C:\Windows\DiagTrack\Settings\StartMenuExperienceHost.exe
                                                                                  1⤵
                                                                                  • Executes dropped EXE
                                                                                  PID:4400
                                                                                • C:\odt\SearchApp.exe
                                                                                  C:\odt\SearchApp.exe
                                                                                  1⤵
                                                                                  • Executes dropped EXE
                                                                                  PID:640
                                                                                • C:\Program Files (x86)\Microsoft.NET\RedistList\TextInputHost.exe
                                                                                  "C:\Program Files (x86)\Microsoft.NET\RedistList\TextInputHost.exe"
                                                                                  1⤵
                                                                                  • Executes dropped EXE
                                                                                  PID:3592
                                                                                • C:\Recovery\WindowsRE\spoolsv.exe
                                                                                  C:\Recovery\WindowsRE\spoolsv.exe
                                                                                  1⤵
                                                                                  • Executes dropped EXE
                                                                                  PID:4384
                                                                                • C:\Recovery\WindowsRE\dwm.exe
                                                                                  C:\Recovery\WindowsRE\dwm.exe
                                                                                  1⤵
                                                                                  • Executes dropped EXE
                                                                                  PID:460
                                                                                • C:\Windows\Fonts\sppsvc.exe
                                                                                  C:\Windows\Fonts\sppsvc.exe
                                                                                  1⤵
                                                                                  • Executes dropped EXE
                                                                                  PID:1328
                                                                                • C:\Recovery\WindowsRE\sysmon.exe
                                                                                  C:\Recovery\WindowsRE\sysmon.exe
                                                                                  1⤵
                                                                                  • Executes dropped EXE
                                                                                  PID:2912
                                                                                • C:\Windows\Downloaded Program Files\winlogon.exe
                                                                                  "C:\Windows\Downloaded Program Files\winlogon.exe"
                                                                                  1⤵
                                                                                  • Executes dropped EXE
                                                                                  PID:4812
                                                                                • C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\OfficeClickToRun.exe
                                                                                  "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\OfficeClickToRun.exe"
                                                                                  1⤵
                                                                                  • Executes dropped EXE
                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                  • Suspicious behavior: GetForegroundWindowSpam
                                                                                  PID:2988
                                                                                • C:\Windows\Offline Web Pages\sihost.exe
                                                                                  "C:\Windows\Offline Web Pages\sihost.exe"
                                                                                  1⤵
                                                                                  • Executes dropped EXE
                                                                                  PID:3632

                                                                                Network

                                                                                      MITRE ATT&CK Enterprise v15

                                                                                      Replay Monitor

                                                                                      Loading Replay Monitor...

                                                                                      Downloads

                                                                                      • C:\ComAgentSession\FU70pek1lKzqNpW.bat

                                                                                        Filesize

                                                                                        36B

                                                                                        MD5

                                                                                        db5bc92a508253027eeb8b1703425243

                                                                                        SHA1

                                                                                        f17f65ab6ee1d0d59092eecd0c9c89288adbb355

                                                                                        SHA256

                                                                                        6a48edfa769d6420962994aa84e6b261734fd289860251c12eff0d6b9994e153

                                                                                        SHA512

                                                                                        5637eab1c2f15f80b7a62694a27d0cd2649c183625119b3bd0cfcc42d49c9693b5708b098f18d0084509079601f1893f09079d7580d3b01d74fa9095101e4521

                                                                                      • C:\ComAgentSession\J1Z3KeWJB1lM.vbe

                                                                                        Filesize

                                                                                        207B

                                                                                        MD5

                                                                                        f83a0a294a0f7c5ec97371c705cbfec9

                                                                                        SHA1

                                                                                        4cf78ab1616432c1f8c714f122a79350af8a53f5

                                                                                        SHA256

                                                                                        5a23f943e2e3054bbfad3f9b71c5c03498c78a510a758511bfca0f34f287724f

                                                                                        SHA512

                                                                                        9e127673927c5a69d1ab4022046c57135f961ed1ce1b8974a47550d1555b43762008a7b6ce3ba220ab917cb2466703dddda3add1ca784b4c8d5b5d0cdfb1c620

                                                                                      • C:\ComAgentSession\blockbroker.exe

                                                                                        Filesize

                                                                                        829KB

                                                                                        MD5

                                                                                        2f055355f956c24ffc2276a84e1f24b5

                                                                                        SHA1

                                                                                        e8c6619057c583077b0f171280212c548f54d263

                                                                                        SHA256

                                                                                        0ce4d853accc7935de440653d0d593d3e0bed2782044d46cae0ac1849bb60553

                                                                                        SHA512

                                                                                        f813326257f0ff83208b69abd93e6034fc2393e1ee84ff717cdd0a4c698daa9fe8b9f0314d7aefa3732b487fe2ad80d00e3e7425d5638bc2cfd02c3e481146e1

                                                                                      • C:\ComAgentSession\blockbroker.exe

                                                                                        Filesize

                                                                                        829KB

                                                                                        MD5

                                                                                        2f055355f956c24ffc2276a84e1f24b5

                                                                                        SHA1

                                                                                        e8c6619057c583077b0f171280212c548f54d263

                                                                                        SHA256

                                                                                        0ce4d853accc7935de440653d0d593d3e0bed2782044d46cae0ac1849bb60553

                                                                                        SHA512

                                                                                        f813326257f0ff83208b69abd93e6034fc2393e1ee84ff717cdd0a4c698daa9fe8b9f0314d7aefa3732b487fe2ad80d00e3e7425d5638bc2cfd02c3e481146e1

                                                                                      • C:\Program Files (x86)\Microsoft.NET\RedistList\TextInputHost.exe

                                                                                        Filesize

                                                                                        829KB

                                                                                        MD5

                                                                                        2f055355f956c24ffc2276a84e1f24b5

                                                                                        SHA1

                                                                                        e8c6619057c583077b0f171280212c548f54d263

                                                                                        SHA256

                                                                                        0ce4d853accc7935de440653d0d593d3e0bed2782044d46cae0ac1849bb60553

                                                                                        SHA512

                                                                                        f813326257f0ff83208b69abd93e6034fc2393e1ee84ff717cdd0a4c698daa9fe8b9f0314d7aefa3732b487fe2ad80d00e3e7425d5638bc2cfd02c3e481146e1

                                                                                      • C:\Program Files (x86)\Microsoft.NET\RedistList\TextInputHost.exe

                                                                                        Filesize

                                                                                        829KB

                                                                                        MD5

                                                                                        2f055355f956c24ffc2276a84e1f24b5

                                                                                        SHA1

                                                                                        e8c6619057c583077b0f171280212c548f54d263

                                                                                        SHA256

                                                                                        0ce4d853accc7935de440653d0d593d3e0bed2782044d46cae0ac1849bb60553

                                                                                        SHA512

                                                                                        f813326257f0ff83208b69abd93e6034fc2393e1ee84ff717cdd0a4c698daa9fe8b9f0314d7aefa3732b487fe2ad80d00e3e7425d5638bc2cfd02c3e481146e1

                                                                                      • C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\OfficeClickToRun.exe

                                                                                        Filesize

                                                                                        829KB

                                                                                        MD5

                                                                                        2f055355f956c24ffc2276a84e1f24b5

                                                                                        SHA1

                                                                                        e8c6619057c583077b0f171280212c548f54d263

                                                                                        SHA256

                                                                                        0ce4d853accc7935de440653d0d593d3e0bed2782044d46cae0ac1849bb60553

                                                                                        SHA512

                                                                                        f813326257f0ff83208b69abd93e6034fc2393e1ee84ff717cdd0a4c698daa9fe8b9f0314d7aefa3732b487fe2ad80d00e3e7425d5638bc2cfd02c3e481146e1

                                                                                      • C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\OfficeClickToRun.exe

                                                                                        Filesize

                                                                                        829KB

                                                                                        MD5

                                                                                        2f055355f956c24ffc2276a84e1f24b5

                                                                                        SHA1

                                                                                        e8c6619057c583077b0f171280212c548f54d263

                                                                                        SHA256

                                                                                        0ce4d853accc7935de440653d0d593d3e0bed2782044d46cae0ac1849bb60553

                                                                                        SHA512

                                                                                        f813326257f0ff83208b69abd93e6034fc2393e1ee84ff717cdd0a4c698daa9fe8b9f0314d7aefa3732b487fe2ad80d00e3e7425d5638bc2cfd02c3e481146e1

                                                                                      • C:\Program Files\Windows Security\sppsvc.exe

                                                                                        Filesize

                                                                                        829KB

                                                                                        MD5

                                                                                        2f055355f956c24ffc2276a84e1f24b5

                                                                                        SHA1

                                                                                        e8c6619057c583077b0f171280212c548f54d263

                                                                                        SHA256

                                                                                        0ce4d853accc7935de440653d0d593d3e0bed2782044d46cae0ac1849bb60553

                                                                                        SHA512

                                                                                        f813326257f0ff83208b69abd93e6034fc2393e1ee84ff717cdd0a4c698daa9fe8b9f0314d7aefa3732b487fe2ad80d00e3e7425d5638bc2cfd02c3e481146e1

                                                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

                                                                                        Filesize

                                                                                        40B

                                                                                        MD5

                                                                                        66a053d6739fe940ec8c86d7d7edf5ca

                                                                                        SHA1

                                                                                        7bca498903f551bd30fadaff9aea89f69be58890

                                                                                        SHA256

                                                                                        34f812910e594035498af16fd84f5da4e2380f7ad86f77ba2b4aa8942550ccd1

                                                                                        SHA512

                                                                                        e15d98456693fe4cafebbbe5a0a60259b9b44e086269efcd375366e6a043d20c7c585a4f550720fe96548a535df1a606a7d606bf2c0c12b8a1eaecfef40ef740

                                                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

                                                                                        Filesize

                                                                                        40B

                                                                                        MD5

                                                                                        66a053d6739fe940ec8c86d7d7edf5ca

                                                                                        SHA1

                                                                                        7bca498903f551bd30fadaff9aea89f69be58890

                                                                                        SHA256

                                                                                        34f812910e594035498af16fd84f5da4e2380f7ad86f77ba2b4aa8942550ccd1

                                                                                        SHA512

                                                                                        e15d98456693fe4cafebbbe5a0a60259b9b44e086269efcd375366e6a043d20c7c585a4f550720fe96548a535df1a606a7d606bf2c0c12b8a1eaecfef40ef740

                                                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_0

                                                                                        Filesize

                                                                                        44KB

                                                                                        MD5

                                                                                        51668952c3a3ab36426b1944f3728e46

                                                                                        SHA1

                                                                                        fab8bd955484c9bfe2670adf2eb9c58b63006788

                                                                                        SHA256

                                                                                        357976c65f912707b145efd874990414a2722f485f3410f91bfd22c8969ccda9

                                                                                        SHA512

                                                                                        0ab04d7ef2e8102dcf5cb173c3d52e2ac5a5c2c5259ecf385589b2537bbc4e2f95661d46be5a5ea147a6b9d07d61c95ff5f65badcff446a29acc2b24fdc7a31d

                                                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_1

                                                                                        Filesize

                                                                                        264KB

                                                                                        MD5

                                                                                        d980d17895283a0e1d8d8a256269d284

                                                                                        SHA1

                                                                                        005260b0d7167a7444a7a38631d828b49f5292db

                                                                                        SHA256

                                                                                        5ef8424c5a73a9a074e2ad202f3f37fc7ee6d733b38a4695c168f1c09a5885f9

                                                                                        SHA512

                                                                                        16adc23fe985cdafda6edf4cdd0d3263b2dd043397dfff018339a084cbefbba77f5b1ff271da486eccc88ba9f6ca06170770e3a9f085d25f2bb242c42da83e71

                                                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_3

                                                                                        Filesize

                                                                                        4.0MB

                                                                                        MD5

                                                                                        c400056b2ea08acaae9db4bb506bcf76

                                                                                        SHA1

                                                                                        26c5760d7c7f7f37ac3211c6d5a491fa002926b7

                                                                                        SHA256

                                                                                        01e0b5c234c9ed4fed2d1eb9bb6c1e22cbbcc47efe737632a0bbafdaa99d5cf2

                                                                                        SHA512

                                                                                        c61391c3cc6db7683039fd113e7aeaa5e9357ccafc1701b9ff49354699aba58ab43fd3c35916aef6a954209c2bb7f4dbd1fbdc946b53c90c1ba1d952e4a81835

                                                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000005

                                                                                        Filesize

                                                                                        52KB

                                                                                        MD5

                                                                                        344195b3134218414f9ec76d65c462b9

                                                                                        SHA1

                                                                                        13e80dc8ae020fb91259d072d939cabd038fa2ab

                                                                                        SHA256

                                                                                        e9305ffbcf6a27bac5113d58d0f491b8caab480c22d3d63268e14f6d59a45782

                                                                                        SHA512

                                                                                        66e8c955f8272ef785536a7e8cc3a3b160cd27520f5a835a3846cc513c5956d022a683089a42320dfd8c04e09998ddfc759a9d33aea271b88355765ed315f175

                                                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000006

                                                                                        Filesize

                                                                                        37KB

                                                                                        MD5

                                                                                        f5118dd18af12aba720339dd42830c08

                                                                                        SHA1

                                                                                        0ed013d68aea57a1f587fe47e72464f84dc3994a

                                                                                        SHA256

                                                                                        c977fccad202c62d07cca71375b7f710cf97a2679d71e9083f529a38d4e68dcc

                                                                                        SHA512

                                                                                        8a33bbfe4488d06b47c9664df2832292adc6060a99baf8bda68a751e501a7f61f15825a0e0fba85064f574539de09279b48927d154f4f366de5fec2400c673d9

                                                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000007

                                                                                        Filesize

                                                                                        58KB

                                                                                        MD5

                                                                                        5d05ba495d37acd79c70e5b557a0c16c

                                                                                        SHA1

                                                                                        e96ad98168fa375dea9c37c8a3263437224300a7

                                                                                        SHA256

                                                                                        21b00ea3a3278814e1e425f24bdeb0fdd79f9cbef6a4417648e711c90fb1660d

                                                                                        SHA512

                                                                                        90e9777de33256df5104001b3c76ba5c52dd71c883661e0cfb02426d45bfd805cff05bae308589f3d1a451f5163afe59ca6a3107ef0b9343c10b5c436cfb2cae

                                                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000008

                                                                                        Filesize

                                                                                        40KB

                                                                                        MD5

                                                                                        929729aa7cff46b3dad2f748a57af24c

                                                                                        SHA1

                                                                                        81aa5db7dd63c79e23ccd23bf2520ab994295f2e

                                                                                        SHA256

                                                                                        3c63e6c7fa25849799d08bf54988bfb3b77b1d1eebb1e55a94b64995850cba2f

                                                                                        SHA512

                                                                                        a10eaa6f2708b683bd43295b9c3da5840c0eb6d8a6b9e1922a534270fecbc0dcdb4cdcc28768df292a06f6210885b510254bdca17e5b3c507b0337fe7dc3d743

                                                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

                                                                                        Filesize

                                                                                        264KB

                                                                                        MD5

                                                                                        f50f89a0a91564d0b8a211f8921aa7de

                                                                                        SHA1

                                                                                        112403a17dd69d5b9018b8cede023cb3b54eab7d

                                                                                        SHA256

                                                                                        b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

                                                                                        SHA512

                                                                                        bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

                                                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

                                                                                        Filesize

                                                                                        264KB

                                                                                        MD5

                                                                                        f50f89a0a91564d0b8a211f8921aa7de

                                                                                        SHA1

                                                                                        112403a17dd69d5b9018b8cede023cb3b54eab7d

                                                                                        SHA256

                                                                                        b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

                                                                                        SHA512

                                                                                        bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

                                                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

                                                                                        Filesize

                                                                                        264KB

                                                                                        MD5

                                                                                        f50f89a0a91564d0b8a211f8921aa7de

                                                                                        SHA1

                                                                                        112403a17dd69d5b9018b8cede023cb3b54eab7d

                                                                                        SHA256

                                                                                        b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

                                                                                        SHA512

                                                                                        bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

                                                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG

                                                                                        Filesize

                                                                                        329B

                                                                                        MD5

                                                                                        d118ac27f5c37c6511a9490ba6ac454e

                                                                                        SHA1

                                                                                        ec400e0eb0a480a052f0bca2ec87d23e3f84c936

                                                                                        SHA256

                                                                                        77e3ba641f04eb473d234d3bdba450ac0a2559a6dd5dcc02399e69625fe07365

                                                                                        SHA512

                                                                                        e150e7e7a853ad68d27cac44026fb76a8d25aaeb47fcdf2e78ff9d5bcfe97629ee97fff7afa37e5799c70912d0d860abdcd88a406e23bea38bc3e9b61f28f0c2

                                                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

                                                                                        Filesize

                                                                                        1KB

                                                                                        MD5

                                                                                        6e5a0fb5efdcc035796b1e6e203bbbc1

                                                                                        SHA1

                                                                                        fee75b4967e6cfd4f06c36270f273f167a05b047

                                                                                        SHA256

                                                                                        76afc4a4e96879c25debe396e33347191b89b953a3ef9c6e01c97440cca96d99

                                                                                        SHA512

                                                                                        9c84371aa89ef3aaadcd45f8095ad79f84d7135bf1f83009bf85fd3377f3c33a65873abb1202b3e6e45e5c757efd5a46b7a71d16e5ef4a29cb512865892760c8

                                                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

                                                                                        Filesize

                                                                                        1KB

                                                                                        MD5

                                                                                        6e5a0fb5efdcc035796b1e6e203bbbc1

                                                                                        SHA1

                                                                                        fee75b4967e6cfd4f06c36270f273f167a05b047

                                                                                        SHA256

                                                                                        76afc4a4e96879c25debe396e33347191b89b953a3ef9c6e01c97440cca96d99

                                                                                        SHA512

                                                                                        9c84371aa89ef3aaadcd45f8095ad79f84d7135bf1f83009bf85fd3377f3c33a65873abb1202b3e6e45e5c757efd5a46b7a71d16e5ef4a29cb512865892760c8

                                                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

                                                                                        Filesize

                                                                                        1KB

                                                                                        MD5

                                                                                        5ad0ab3cf0f7dda6ca4e3f90bcb19154

                                                                                        SHA1

                                                                                        67eaa1b3e9bfe098fd3b4173398c14f52b86cee5

                                                                                        SHA256

                                                                                        f143ff02e7e0bdb1f81e2f86869e0eceddcb01f7c81116a8dc8d53867cfaa6d7

                                                                                        SHA512

                                                                                        668654b4a308a0b517e666e5e0c64ad9e814e27c6dd144b7f480b312b05328147672d150048be84d7b585065c501285bcc57a951aa36d151fb94848f8fd14afb

                                                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

                                                                                        Filesize

                                                                                        1KB

                                                                                        MD5

                                                                                        43a86868b757012518d4963cb542d5fe

                                                                                        SHA1

                                                                                        e79c4540f89d45f526ea5c8ca189b31f39fbb338

                                                                                        SHA256

                                                                                        2f927cce18ea6bd2b9094704ccfca95d5b4de7c02254b1d899ef9f4029357e28

                                                                                        SHA512

                                                                                        f1cef761b22d4ad3ec24769c65e12ff1ebd4727d2a6a8c22c530cc1f13c110ed684cdd9e535726890b1969222e008e0d4574a5a4f284f2a8090c5b9a87f6cb90

                                                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

                                                                                        Filesize

                                                                                        1KB

                                                                                        MD5

                                                                                        d5e535e98350bc9b20b09f97ef91564d

                                                                                        SHA1

                                                                                        0406e87bcf4650599496a11286874a5197e47014

                                                                                        SHA256

                                                                                        2d6a58669e655683d6ada04fabf0f9370a55e685956bd90f5361db69db618400

                                                                                        SHA512

                                                                                        91f091554a0437d5c2c0124dca2990aebacfe664bda149d77adff32ed87c56b1a0a5f28dc462c334b290264ddfb52205923175ce96e01e53a0be5ed28c4277e9

                                                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Reporting and NEL

                                                                                        Filesize

                                                                                        36KB

                                                                                        MD5

                                                                                        8dd8360a04d0627d6ee2f9c8c2b6d233

                                                                                        SHA1

                                                                                        4367fbe3fa5374554a29f239b0eca798d408c5aa

                                                                                        SHA256

                                                                                        efd13aaf071384b65a9e13b39ac2e0a95f6b4123ed97a7f32be4ef7cfa5236d8

                                                                                        SHA512

                                                                                        e6ba8202016b8f83ef301277ddb24a3417220c3eebffb1413f40f5e689d8ca6ac8f26ad8ff223652c1cc8b6d06f83202171a7456d92d37d9ee086d9b96559d87

                                                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

                                                                                        Filesize

                                                                                        371B

                                                                                        MD5

                                                                                        5e82967f9315957f704c066ec7a860d9

                                                                                        SHA1

                                                                                        4e2fa8f5e8eebc714ba54958019f0f45517bbc70

                                                                                        SHA256

                                                                                        daeb6266dc42a3209f5ddbf6cb86c4c5097236690f0dbe672dd462c014d98532

                                                                                        SHA512

                                                                                        d1cbd0f484ab1da92a1e129a961bdf5d5d844d5835ae47cfb121f534b3bb1e2615b2300e60029b2bb322dd34a1dc0741b66aeeb4d9510fc1833cb2a47c1a5e7f

                                                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

                                                                                        Filesize

                                                                                        371B

                                                                                        MD5

                                                                                        7df9378cd068117811256fbd614f1cca

                                                                                        SHA1

                                                                                        f970084108e2b2020b73f8bb4b53f235a3f20149

                                                                                        SHA256

                                                                                        7135e9def2674879e71527bd66db955711abef935673bdbde08cdad398bef493

                                                                                        SHA512

                                                                                        f8cad8b16e908cb7541ebd2fc23d3eae4fe79f88bb5c334a85c244a330abad0f7f785824a4540ee8487f6cc96249f0058b2dc442b55a7f941312216306ee1729

                                                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

                                                                                        Filesize

                                                                                        371B

                                                                                        MD5

                                                                                        7df9378cd068117811256fbd614f1cca

                                                                                        SHA1

                                                                                        f970084108e2b2020b73f8bb4b53f235a3f20149

                                                                                        SHA256

                                                                                        7135e9def2674879e71527bd66db955711abef935673bdbde08cdad398bef493

                                                                                        SHA512

                                                                                        f8cad8b16e908cb7541ebd2fc23d3eae4fe79f88bb5c334a85c244a330abad0f7f785824a4540ee8487f6cc96249f0058b2dc442b55a7f941312216306ee1729

                                                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                                                                        Filesize

                                                                                        6KB

                                                                                        MD5

                                                                                        0134421278bd8196c677004e39af44d1

                                                                                        SHA1

                                                                                        4c225a95b716ad79b2cf28c09e11b7592a46eb41

                                                                                        SHA256

                                                                                        84d732f79aa2d96d704a697f394b1b9fce6917ffab648423e26269d69424c3a8

                                                                                        SHA512

                                                                                        8248eab16c4f35469ee6dbb7fad0dfd7c9e2f4a6ccaf6be040f6d34952942c6d9b6f1b3c28c1dcf1d04b77a285eec0c8e507c78e352239bb988f5c6c4210a262

                                                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                                                                        Filesize

                                                                                        6KB

                                                                                        MD5

                                                                                        0134421278bd8196c677004e39af44d1

                                                                                        SHA1

                                                                                        4c225a95b716ad79b2cf28c09e11b7592a46eb41

                                                                                        SHA256

                                                                                        84d732f79aa2d96d704a697f394b1b9fce6917ffab648423e26269d69424c3a8

                                                                                        SHA512

                                                                                        8248eab16c4f35469ee6dbb7fad0dfd7c9e2f4a6ccaf6be040f6d34952942c6d9b6f1b3c28c1dcf1d04b77a285eec0c8e507c78e352239bb988f5c6c4210a262

                                                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                                                                        Filesize

                                                                                        6KB

                                                                                        MD5

                                                                                        e0fca882f352b1f9152d986cc304d217

                                                                                        SHA1

                                                                                        faa3bececc3486288643cc12b1a25920a42f3749

                                                                                        SHA256

                                                                                        036cd8dbf47cfe76e985ae3054692155f9beab812b81a2b8c71f91764edb6cd7

                                                                                        SHA512

                                                                                        0cacd787d3d579a7ba778b744fdd032bf10d04fa11c9c67c0975ad9cf7e7865f48415dd4a2bc5eeda2a1b6a6d6ec8c36e78c9777cecc3d852d42422278928438

                                                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                                                                        Filesize

                                                                                        6KB

                                                                                        MD5

                                                                                        95055c1bfc7002c46e872e65649db4f1

                                                                                        SHA1

                                                                                        d752df17205c45608cc6eb60560fcc2a12591221

                                                                                        SHA256

                                                                                        dffe9d282d6d6c7e87242224de65c98d3e0bd92eccb7dac4be217091d33b6bc4

                                                                                        SHA512

                                                                                        db39055e77e1d1f20c9135becf7957634479257170c422e78eedd9ec33237c3660e47faec43c99e9c2586fc8010793490cbc14326e4690005b33ac5682c6fa90

                                                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                                                                        Filesize

                                                                                        6KB

                                                                                        MD5

                                                                                        ca0f788e62d611d48989651496d0362b

                                                                                        SHA1

                                                                                        625725b3b1f71c2e3d2cbfc15c9488090049a76f

                                                                                        SHA256

                                                                                        59981c1aa6ee94a24b2aca33ebf581d69c2cd4cf3d5f86217961a07fab442219

                                                                                        SHA512

                                                                                        0c75767f4ba3c95273de18c51fb1d50e9795e97daf23fd99acf31079583befde873d9c7ab2db7793aa1a9e7babbc02679cd658d6e8c3b05c65d224b04a8808f3

                                                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                                                                        Filesize

                                                                                        6KB

                                                                                        MD5

                                                                                        f45910e8ebe9f0df6e5ef903df0657e1

                                                                                        SHA1

                                                                                        f924a2c44cfa1412c05d9e4da383934da2a1ba9c

                                                                                        SHA256

                                                                                        18f41bf18c4df300bc34ecde651f6b6b47d5378776bdc1e369d2def06e510aec

                                                                                        SHA512

                                                                                        aed953f6cffcf893d48264b5c6429f1edbe8c815e7f8180827529b5df1dc5f53c69fc1e47da624c0bc6c94c2b0981c8dd221dad89be023f3fc48d1176fd451f4

                                                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

                                                                                        Filesize

                                                                                        15KB

                                                                                        MD5

                                                                                        2a1a540b49c7b8cc78b580848772ca36

                                                                                        SHA1

                                                                                        0befd7cce06f97f3b62dd7b75f331aa3240b990f

                                                                                        SHA256

                                                                                        9f7fd5be2ed08f1955745758422d7e3cc8f5c249de32d3932c58093560892921

                                                                                        SHA512

                                                                                        bf0dc17dd0bcdc2cae7827989c8f98b62962e4002f4e93e8f8161173d27089a21afd7d4a102d432a7b19bbdaa7864abee6988dcc590176d7e7a393c2e419005c

                                                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

                                                                                        Filesize

                                                                                        15KB

                                                                                        MD5

                                                                                        2a1a540b49c7b8cc78b580848772ca36

                                                                                        SHA1

                                                                                        0befd7cce06f97f3b62dd7b75f331aa3240b990f

                                                                                        SHA256

                                                                                        9f7fd5be2ed08f1955745758422d7e3cc8f5c249de32d3932c58093560892921

                                                                                        SHA512

                                                                                        bf0dc17dd0bcdc2cae7827989c8f98b62962e4002f4e93e8f8161173d27089a21afd7d4a102d432a7b19bbdaa7864abee6988dcc590176d7e7a393c2e419005c

                                                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOG

                                                                                        Filesize

                                                                                        345B

                                                                                        MD5

                                                                                        86efaf1a8666926f0e6efa7f7a27bb6c

                                                                                        SHA1

                                                                                        f39351820a7d988cf72852c886565ee895f9917d

                                                                                        SHA256

                                                                                        7738f249275e5133c18d8006e56e540ff78a32f22d7d2ddddb24bf9b95e0b9c2

                                                                                        SHA512

                                                                                        96ed49f9a23cbb314cfb14129dbc1fc707b37fa9fce57787ef9a9682d6f51c1a6b7b3fe379dfad22c50b7231eaa8613f1d0ad8c1df5fcd238ba897c1919b1030

                                                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000003.log

                                                                                        Filesize

                                                                                        8KB

                                                                                        MD5

                                                                                        f98defe17a8e79ea97a0ea9e1f2fd717

                                                                                        SHA1

                                                                                        c09a3b2399f00f62915b97d5e8f04ffdbb9ff200

                                                                                        SHA256

                                                                                        5474c5a6cbf3c417b8fa8202aeed419d12038b81449674aad6cb20781843a81d

                                                                                        SHA512

                                                                                        4bd52e7581c40b63e41df8d6521a3eb38ba8f1573ee193e4878a4af0f56db239b68e0faa1b0c31c8d7a9dfea8798be5649a42a604b0a25961e5a31caf3fb735e

                                                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG

                                                                                        Filesize

                                                                                        321B

                                                                                        MD5

                                                                                        935f2136b75f27769ccc7e5cda60eb27

                                                                                        SHA1

                                                                                        480047af7d8b544cb45e713283ff3c39d9470340

                                                                                        SHA256

                                                                                        10d421e27b815c3835ccff890a2be9fb834014a37bce460dfd22ceb9e2cf00f6

                                                                                        SHA512

                                                                                        45559bb83faf2a8d615e5cc7b88e44ab3ab796a65828dd995bb0497591fb7b29aff0ff41c8892e370e112443a6744237bd1707ca2204ae282c55c9fbd761c810

                                                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Last Version

                                                                                        Filesize

                                                                                        14B

                                                                                        MD5

                                                                                        9eae63c7a967fc314dd311d9f46a45b7

                                                                                        SHA1

                                                                                        caba9c2c93acfe0b9ceb9ab19b992b0fc19c71cf

                                                                                        SHA256

                                                                                        4288925b0cf871c7458c22c46936efb0e903802feb991a0e1803be94ca6c251d

                                                                                        SHA512

                                                                                        bed924bff236bf5b6ce1df1db82e86c935e5830a20d9d24697efd82ca331e30604db8d04b0d692ec8541ec6deb2225bcc7d805b79f2db5726642198ecf6348b8

                                                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

                                                                                        Filesize

                                                                                        221KB

                                                                                        MD5

                                                                                        223954b6b921b05bf59b57f3db55c370

                                                                                        SHA1

                                                                                        d5213e96c5f6c8cf104eed7ce56c50d22e84519e

                                                                                        SHA256

                                                                                        f518330912fbb405e648111e511c48b73c375b911a322be9f8498727d8a45cef

                                                                                        SHA512

                                                                                        0421e9076193112fa0a5c17591eb1bc8174048f97de37be8601e782add7ad326c541fbe95f65b9b09967e7d946377f9f276cacdb2c90f356ded9dbb58134686a

                                                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

                                                                                        Filesize

                                                                                        221KB

                                                                                        MD5

                                                                                        0c7058e843c3cf4b0f485b9f526db6d0

                                                                                        SHA1

                                                                                        fc8779e60131c2c8bdcf212e85f531083e3debfc

                                                                                        SHA256

                                                                                        63c2ff80e29363b8d3647bbbed66932346620c9c98b79120f8156c194cd5080e

                                                                                        SHA512

                                                                                        77db9c3f702e287c3686b68ee1eefd7d0c00465ec88cf7b47ae1d4e9e82d67840f80fbab20d2892a46096fb8a2ebe04f6a2ed5f24dbc2f65401d5fc23ce64822

                                                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

                                                                                        Filesize

                                                                                        109KB

                                                                                        MD5

                                                                                        b387506d1d609cdeaacf83ed5064deb2

                                                                                        SHA1

                                                                                        6b0593bc8f4c07496cd6baab6298b5b6086310dd

                                                                                        SHA256

                                                                                        bf9944b7bebe993bf81246722865fb2d0060408f3ec4c111f2eeb8fef1a78997

                                                                                        SHA512

                                                                                        fc18fd97f40b1ce05cdc7d286de08fa15c1474633ebffa912bd7018d6c1085a66dd028a9ea53a98f219de4f1e99de489847f5dcde46efaad46f1cad8c3056a1c

                                                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

                                                                                        Filesize

                                                                                        221KB

                                                                                        MD5

                                                                                        0c7058e843c3cf4b0f485b9f526db6d0

                                                                                        SHA1

                                                                                        fc8779e60131c2c8bdcf212e85f531083e3debfc

                                                                                        SHA256

                                                                                        63c2ff80e29363b8d3647bbbed66932346620c9c98b79120f8156c194cd5080e

                                                                                        SHA512

                                                                                        77db9c3f702e287c3686b68ee1eefd7d0c00465ec88cf7b47ae1d4e9e82d67840f80fbab20d2892a46096fb8a2ebe04f6a2ed5f24dbc2f65401d5fc23ce64822

                                                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

                                                                                        Filesize

                                                                                        264KB

                                                                                        MD5

                                                                                        f50f89a0a91564d0b8a211f8921aa7de

                                                                                        SHA1

                                                                                        112403a17dd69d5b9018b8cede023cb3b54eab7d

                                                                                        SHA256

                                                                                        b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

                                                                                        SHA512

                                                                                        bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

                                                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Variations

                                                                                        Filesize

                                                                                        85B

                                                                                        MD5

                                                                                        bc6142469cd7dadf107be9ad87ea4753

                                                                                        SHA1

                                                                                        72a9aa05003fab742b0e4dc4c5d9eda6b9f7565c

                                                                                        SHA256

                                                                                        b26da4f8c7e283aa74386da0229d66af14a37986b8ca828e054fc932f68dd557

                                                                                        SHA512

                                                                                        47d1a67a16f5dc6d50556c5296e65918f0a2fcad0e8cee5795b100fe8cd89eaf5e1fd67691e8a57af3677883a5d8f104723b1901d11845b286474c8ac56f6182

                                                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

                                                                                        Filesize

                                                                                        2B

                                                                                        MD5

                                                                                        99914b932bd37a50b983c5e7c90ae93b

                                                                                        SHA1

                                                                                        bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

                                                                                        SHA256

                                                                                        44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

                                                                                        SHA512

                                                                                        27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

                                                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

                                                                                        Filesize

                                                                                        2B

                                                                                        MD5

                                                                                        99914b932bd37a50b983c5e7c90ae93b

                                                                                        SHA1

                                                                                        bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

                                                                                        SHA256

                                                                                        44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

                                                                                        SHA512

                                                                                        27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\sihost.exe.log

                                                                                        Filesize

                                                                                        1KB

                                                                                        MD5

                                                                                        baf55b95da4a601229647f25dad12878

                                                                                        SHA1

                                                                                        abc16954ebfd213733c4493fc1910164d825cac8

                                                                                        SHA256

                                                                                        ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

                                                                                        SHA512

                                                                                        24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

                                                                                      • C:\Users\Admin\AppData\Local\Temp\3gUlVaPHfz.bat

                                                                                        Filesize

                                                                                        91B

                                                                                        MD5

                                                                                        3df5329028ec13c367e1283a462b0dab

                                                                                        SHA1

                                                                                        4294d5cb78c980c90cf4da0a540943d931aed884

                                                                                        SHA256

                                                                                        945cbff2edfc91f9dc83d777f498d9168e3ff0b9495ca91c97abaf85e226a85c

                                                                                        SHA512

                                                                                        b7a8f8117d82737ea9506285f4524ca2053bfbe7f24009b2036ebdc8ab6b4b99d9181889a318a3c284c4310be5b39fdbda9cd312bf2a02459d3b90acc06a6f49

                                                                                      • C:\Users\Admin\AppData\Local\Temp\RESD994.tmp

                                                                                        Filesize

                                                                                        1KB

                                                                                        MD5

                                                                                        d0faded3acf408ebb97a11c352c760ef

                                                                                        SHA1

                                                                                        598ea636de9569e4aba34bdaba0a4b8f7ec9d7bc

                                                                                        SHA256

                                                                                        da8cb33f5a58c362620386d472bcd555da42dd58f28afa453f3e358fdc9a5cd0

                                                                                        SHA512

                                                                                        2352bce292715ea07487f060ffe13696a754ede18353366c5f69441561c80271992afe47a16faf9cc1fb49c25eae7ce5a845fa7a04559253209958fe0a2ac98a

                                                                                      • C:\Users\Admin\AppData\Local\Temp\Untitled.png

                                                                                        Filesize

                                                                                        3KB

                                                                                        MD5

                                                                                        8b54f4a71994d75f03d925e39b270266

                                                                                        SHA1

                                                                                        1cc3fb083cecb12eb9ea7a2296c88e68cd8ce7f8

                                                                                        SHA256

                                                                                        8fa966daba967f094792660843018f290ff549dbed28a9c02e8cffd795f08c76

                                                                                        SHA512

                                                                                        16291f11162869bb7a9958b851f79bad6af4c90376fb98d111debe4536c9d4eda9738be0b82d1bb9f26e45a881987f901d1b14f806ccd1f411dc2e75acdd72be

                                                                                      • C:\Users\Admin\AppData\Local\Temp\owd0vlhs\owd0vlhs.dll

                                                                                        Filesize

                                                                                        3KB

                                                                                        MD5

                                                                                        a33e031116fc91cd8f03aa3850e395a0

                                                                                        SHA1

                                                                                        1e4466087f9acd00dbd7987572e6d77893e34296

                                                                                        SHA256

                                                                                        63da7180b93899c5c144f865f239d3a51812055620e7a204be6534661f5de073

                                                                                        SHA512

                                                                                        5955c5f6f73e23a637a139b4530ebb2b47f9bddb78db7f7b78eadf507342a35c34625f244ba08d03eb8dd35fe7cd9da9e81d72a9635a6de78e768f8bae33a1e8

                                                                                      • C:\Windows\DiagTrack\Settings\StartMenuExperienceHost.exe

                                                                                        Filesize

                                                                                        829KB

                                                                                        MD5

                                                                                        2f055355f956c24ffc2276a84e1f24b5

                                                                                        SHA1

                                                                                        e8c6619057c583077b0f171280212c548f54d263

                                                                                        SHA256

                                                                                        0ce4d853accc7935de440653d0d593d3e0bed2782044d46cae0ac1849bb60553

                                                                                        SHA512

                                                                                        f813326257f0ff83208b69abd93e6034fc2393e1ee84ff717cdd0a4c698daa9fe8b9f0314d7aefa3732b487fe2ad80d00e3e7425d5638bc2cfd02c3e481146e1

                                                                                      • C:\Windows\DiagTrack\Settings\StartMenuExperienceHost.exe

                                                                                        Filesize

                                                                                        829KB

                                                                                        MD5

                                                                                        2f055355f956c24ffc2276a84e1f24b5

                                                                                        SHA1

                                                                                        e8c6619057c583077b0f171280212c548f54d263

                                                                                        SHA256

                                                                                        0ce4d853accc7935de440653d0d593d3e0bed2782044d46cae0ac1849bb60553

                                                                                        SHA512

                                                                                        f813326257f0ff83208b69abd93e6034fc2393e1ee84ff717cdd0a4c698daa9fe8b9f0314d7aefa3732b487fe2ad80d00e3e7425d5638bc2cfd02c3e481146e1

                                                                                      • C:\Windows\Downloaded Program Files\winlogon.exe

                                                                                        Filesize

                                                                                        829KB

                                                                                        MD5

                                                                                        2f055355f956c24ffc2276a84e1f24b5

                                                                                        SHA1

                                                                                        e8c6619057c583077b0f171280212c548f54d263

                                                                                        SHA256

                                                                                        0ce4d853accc7935de440653d0d593d3e0bed2782044d46cae0ac1849bb60553

                                                                                        SHA512

                                                                                        f813326257f0ff83208b69abd93e6034fc2393e1ee84ff717cdd0a4c698daa9fe8b9f0314d7aefa3732b487fe2ad80d00e3e7425d5638bc2cfd02c3e481146e1

                                                                                      • C:\Windows\Downloaded Program Files\winlogon.exe

                                                                                        Filesize

                                                                                        829KB

                                                                                        MD5

                                                                                        2f055355f956c24ffc2276a84e1f24b5

                                                                                        SHA1

                                                                                        e8c6619057c583077b0f171280212c548f54d263

                                                                                        SHA256

                                                                                        0ce4d853accc7935de440653d0d593d3e0bed2782044d46cae0ac1849bb60553

                                                                                        SHA512

                                                                                        f813326257f0ff83208b69abd93e6034fc2393e1ee84ff717cdd0a4c698daa9fe8b9f0314d7aefa3732b487fe2ad80d00e3e7425d5638bc2cfd02c3e481146e1

                                                                                      • C:\odt\SearchApp.exe

                                                                                        Filesize

                                                                                        829KB

                                                                                        MD5

                                                                                        2f055355f956c24ffc2276a84e1f24b5

                                                                                        SHA1

                                                                                        e8c6619057c583077b0f171280212c548f54d263

                                                                                        SHA256

                                                                                        0ce4d853accc7935de440653d0d593d3e0bed2782044d46cae0ac1849bb60553

                                                                                        SHA512

                                                                                        f813326257f0ff83208b69abd93e6034fc2393e1ee84ff717cdd0a4c698daa9fe8b9f0314d7aefa3732b487fe2ad80d00e3e7425d5638bc2cfd02c3e481146e1

                                                                                      • C:\odt\SearchApp.exe

                                                                                        Filesize

                                                                                        829KB

                                                                                        MD5

                                                                                        2f055355f956c24ffc2276a84e1f24b5

                                                                                        SHA1

                                                                                        e8c6619057c583077b0f171280212c548f54d263

                                                                                        SHA256

                                                                                        0ce4d853accc7935de440653d0d593d3e0bed2782044d46cae0ac1849bb60553

                                                                                        SHA512

                                                                                        f813326257f0ff83208b69abd93e6034fc2393e1ee84ff717cdd0a4c698daa9fe8b9f0314d7aefa3732b487fe2ad80d00e3e7425d5638bc2cfd02c3e481146e1

                                                                                      • \??\c:\Users\Admin\AppData\Local\Temp\owd0vlhs\CSC9EB42EC220444172B7EAC49DE9996981.TMP

                                                                                        Filesize

                                                                                        652B

                                                                                        MD5

                                                                                        3ed69fcf43025df50e7ff3fa77a8dd97

                                                                                        SHA1

                                                                                        0bc73e7407ae4e7743f84bf0e285413a53000548

                                                                                        SHA256

                                                                                        0466286ef439f17314d6ad63c99f2d217c2c67cc40052b0a15347702936d0f49

                                                                                        SHA512

                                                                                        452ce93216b6d5e95d095623fd2e2c113b3bd91b49904346c7367550cac28969953b2f256d8e6d70fda6ccac1944c9f8d35c43a449b00d7b46f33c21e7f1c4b2

                                                                                      • \??\c:\Users\Admin\AppData\Local\Temp\owd0vlhs\owd0vlhs.0.cs

                                                                                        Filesize

                                                                                        435B

                                                                                        MD5

                                                                                        ee98b18b7a7a0cb24a9564ee3b770530

                                                                                        SHA1

                                                                                        a9d5245c3a1835eae87d8e98faf1dfbd33e2a633

                                                                                        SHA256

                                                                                        3a72cbbb3032641f66650d753f9dd4c61659fc9e0e1f94bf7fce8b41a5ce767a

                                                                                        SHA512

                                                                                        39f2a571431d73eb627094afac4ccbdde7acef284c623e21ef7c7e1d6d12f4d897610479c9eaec206472d8ff9c03232c6385895a8cd1766e44f733bb5f7f9037

                                                                                      • \??\c:\Users\Admin\AppData\Local\Temp\owd0vlhs\owd0vlhs.cmdline

                                                                                        Filesize

                                                                                        334B

                                                                                        MD5

                                                                                        a6743587a682bc9723b2f65c041be508

                                                                                        SHA1

                                                                                        68d08bb35141c5b7be1796fe373c294bd156b665

                                                                                        SHA256

                                                                                        d7292c7d79337214d67a68961cc174fc321b6f30484a64eec270d8204bcce874

                                                                                        SHA512

                                                                                        97bcb92168c3afc01cf77ef44267bdc28e8f23cb0706794c8f6955a7cc64ddc4eedeb9f8bcbd56a085f1d40de94b904103e949365f4c429b1e5f2bb06d83f15b

                                                                                      • \??\c:\Users\Admin\AppData\Local\Temp\wl1t251s\wl1t251s.0.cs

                                                                                        Filesize

                                                                                        1KB

                                                                                        MD5

                                                                                        d4066cc7fa7bb70669af47eac69f3ef0

                                                                                        SHA1

                                                                                        642d369cc12b4f33ba97b608df5e511640c1ee96

                                                                                        SHA256

                                                                                        cb8e3091cc67c7a0dd5aad57baae2f8b7fb33a83dd7f8a65a39cf44a67684999

                                                                                        SHA512

                                                                                        d9d2574ec5a1bb4b871a461495bcb803ddef0f16c72c3532c4cde1b05dd56c0f93f32b3d0f84e0df75dff010d4e080637982a6570e00fc4bd3e68077049086eb

                                                                                      • \??\c:\Users\Admin\AppData\Local\Temp\wl1t251s\wl1t251s.cmdline

                                                                                        Filesize

                                                                                        334B

                                                                                        MD5

                                                                                        3c7cf5932df62f9cace43369e69c9cc2

                                                                                        SHA1

                                                                                        6b81ff39623ffa65e4a8f0db83556bd0815a837f

                                                                                        SHA256

                                                                                        77746c97acd6d4928c571eea76a10e80fe9c93cf615e3b49cbfe4bdd78d9931b

                                                                                        SHA512

                                                                                        99f0c1908d29481730c783b4a12002573719c6df5de5a84909896ac0e301a4ba3c2080a10fc3ed772d3c0b193162b5f18eb18fe91f33d45f29a4773a4ebfe478

                                                                                      • memory/376-433-0x000000001B5A0000-0x000000001B5B0000-memory.dmp

                                                                                        Filesize

                                                                                        64KB

                                                                                      • memory/376-437-0x00007FFB12620000-0x00007FFB130E1000-memory.dmp

                                                                                        Filesize

                                                                                        10.8MB

                                                                                      • memory/376-432-0x00007FFB12620000-0x00007FFB130E1000-memory.dmp

                                                                                        Filesize

                                                                                        10.8MB

                                                                                      • memory/460-471-0x00007FFB12620000-0x00007FFB130E1000-memory.dmp

                                                                                        Filesize

                                                                                        10.8MB

                                                                                      • memory/460-464-0x00007FFB12620000-0x00007FFB130E1000-memory.dmp

                                                                                        Filesize

                                                                                        10.8MB

                                                                                      • memory/512-84-0x0000025C72540000-0x0000025C72550000-memory.dmp

                                                                                        Filesize

                                                                                        64KB

                                                                                      • memory/512-104-0x0000025C7A960000-0x0000025C7A961000-memory.dmp

                                                                                        Filesize

                                                                                        4KB

                                                                                      • memory/512-68-0x0000025C72440000-0x0000025C72450000-memory.dmp

                                                                                        Filesize

                                                                                        64KB

                                                                                      • memory/512-100-0x0000025C7A820000-0x0000025C7A821000-memory.dmp

                                                                                        Filesize

                                                                                        4KB

                                                                                      • memory/512-102-0x0000025C7A850000-0x0000025C7A851000-memory.dmp

                                                                                        Filesize

                                                                                        4KB

                                                                                      • memory/512-103-0x0000025C7A850000-0x0000025C7A851000-memory.dmp

                                                                                        Filesize

                                                                                        4KB

                                                                                      • memory/640-462-0x000000001BCE0000-0x000000001BCF0000-memory.dmp

                                                                                        Filesize

                                                                                        64KB

                                                                                      • memory/640-457-0x00007FFB12620000-0x00007FFB130E1000-memory.dmp

                                                                                        Filesize

                                                                                        10.8MB

                                                                                      • memory/640-468-0x00007FFB12620000-0x00007FFB130E1000-memory.dmp

                                                                                        Filesize

                                                                                        10.8MB

                                                                                      • memory/744-129-0x00007FFB12620000-0x00007FFB130E1000-memory.dmp

                                                                                        Filesize

                                                                                        10.8MB

                                                                                      • memory/744-126-0x00007FFB12620000-0x00007FFB130E1000-memory.dmp

                                                                                        Filesize

                                                                                        10.8MB

                                                                                      • memory/744-127-0x000000001B660000-0x000000001B670000-memory.dmp

                                                                                        Filesize

                                                                                        64KB

                                                                                      • memory/788-147-0x00007FFB12620000-0x00007FFB130E1000-memory.dmp

                                                                                        Filesize

                                                                                        10.8MB

                                                                                      • memory/788-141-0x000000001B340000-0x000000001B350000-memory.dmp

                                                                                        Filesize

                                                                                        64KB

                                                                                      • memory/788-140-0x00007FFB12620000-0x00007FFB130E1000-memory.dmp

                                                                                        Filesize

                                                                                        10.8MB

                                                                                      • memory/1244-136-0x000000001B330000-0x000000001B340000-memory.dmp

                                                                                        Filesize

                                                                                        64KB

                                                                                      • memory/1244-144-0x00007FFB12620000-0x00007FFB130E1000-memory.dmp

                                                                                        Filesize

                                                                                        10.8MB

                                                                                      • memory/1244-137-0x00007FFB12620000-0x00007FFB130E1000-memory.dmp

                                                                                        Filesize

                                                                                        10.8MB

                                                                                      • memory/1328-481-0x00007FFB12620000-0x00007FFB130E1000-memory.dmp

                                                                                        Filesize

                                                                                        10.8MB

                                                                                      • memory/1328-489-0x00007FFB12620000-0x00007FFB130E1000-memory.dmp

                                                                                        Filesize

                                                                                        10.8MB

                                                                                      • memory/1788-453-0x00007FFB12620000-0x00007FFB130E1000-memory.dmp

                                                                                        Filesize

                                                                                        10.8MB

                                                                                      • memory/1788-456-0x00007FFB12620000-0x00007FFB130E1000-memory.dmp

                                                                                        Filesize

                                                                                        10.8MB

                                                                                      • memory/1796-14-0x00000000009D0000-0x00000000009E0000-memory.dmp

                                                                                        Filesize

                                                                                        64KB

                                                                                      • memory/1796-64-0x00007FFB12620000-0x00007FFB130E1000-memory.dmp

                                                                                        Filesize

                                                                                        10.8MB

                                                                                      • memory/1796-13-0x00007FFB12620000-0x00007FFB130E1000-memory.dmp

                                                                                        Filesize

                                                                                        10.8MB

                                                                                      • memory/1796-12-0x0000000000110000-0x00000000001E6000-memory.dmp

                                                                                        Filesize

                                                                                        856KB

                                                                                      • memory/2844-134-0x00007FFB12620000-0x00007FFB130E1000-memory.dmp

                                                                                        Filesize

                                                                                        10.8MB

                                                                                      • memory/2844-135-0x000000001B7B0000-0x000000001B7C0000-memory.dmp

                                                                                        Filesize

                                                                                        64KB

                                                                                      • memory/2844-145-0x00007FFB12620000-0x00007FFB130E1000-memory.dmp

                                                                                        Filesize

                                                                                        10.8MB

                                                                                      • memory/2912-483-0x000000001B3A0000-0x000000001B3B0000-memory.dmp

                                                                                        Filesize

                                                                                        64KB

                                                                                      • memory/2912-482-0x00007FFB12620000-0x00007FFB130E1000-memory.dmp

                                                                                        Filesize

                                                                                        10.8MB

                                                                                      • memory/2912-491-0x00007FFB12620000-0x00007FFB130E1000-memory.dmp

                                                                                        Filesize

                                                                                        10.8MB

                                                                                      • memory/2956-377-0x00007FFB12620000-0x00007FFB130E1000-memory.dmp

                                                                                        Filesize

                                                                                        10.8MB

                                                                                      • memory/2956-373-0x0000000002C70000-0x0000000002C80000-memory.dmp

                                                                                        Filesize

                                                                                        64KB

                                                                                      • memory/2956-372-0x00007FFB12620000-0x00007FFB130E1000-memory.dmp

                                                                                        Filesize

                                                                                        10.8MB

                                                                                      • memory/2988-435-0x0000000002980000-0x0000000002990000-memory.dmp

                                                                                        Filesize

                                                                                        64KB

                                                                                      • memory/2988-506-0x00007FFB12640000-0x00007FFB13101000-memory.dmp

                                                                                        Filesize

                                                                                        10.8MB

                                                                                      • memory/2988-505-0x00000000023B0000-0x00000000023C0000-memory.dmp

                                                                                        Filesize

                                                                                        64KB

                                                                                      • memory/2988-504-0x00007FFB12640000-0x00007FFB13101000-memory.dmp

                                                                                        Filesize

                                                                                        10.8MB

                                                                                      • memory/2988-436-0x00007FFB12620000-0x00007FFB130E1000-memory.dmp

                                                                                        Filesize

                                                                                        10.8MB

                                                                                      • memory/2988-439-0x00007FFB12620000-0x00007FFB130E1000-memory.dmp

                                                                                        Filesize

                                                                                        10.8MB

                                                                                      • memory/3092-441-0x00007FFB12620000-0x00007FFB130E1000-memory.dmp

                                                                                        Filesize

                                                                                        10.8MB

                                                                                      • memory/3092-434-0x00007FFB12620000-0x00007FFB130E1000-memory.dmp

                                                                                        Filesize

                                                                                        10.8MB

                                                                                      • memory/3592-460-0x00007FFB12620000-0x00007FFB130E1000-memory.dmp

                                                                                        Filesize

                                                                                        10.8MB

                                                                                      • memory/3592-463-0x0000000001600000-0x0000000001610000-memory.dmp

                                                                                        Filesize

                                                                                        64KB

                                                                                      • memory/3592-469-0x00007FFB12620000-0x00007FFB130E1000-memory.dmp

                                                                                        Filesize

                                                                                        10.8MB

                                                                                      • memory/3780-66-0x000000001B1F0000-0x000000001B200000-memory.dmp

                                                                                        Filesize

                                                                                        64KB

                                                                                      • memory/3780-486-0x000000001B1F0000-0x000000001B200000-memory.dmp

                                                                                        Filesize

                                                                                        64KB

                                                                                      • memory/3780-122-0x0000000000BC0000-0x0000000000BC8000-memory.dmp

                                                                                        Filesize

                                                                                        32KB

                                                                                      • memory/3780-479-0x0000000000BF0000-0x0000000000BF8000-memory.dmp

                                                                                        Filesize

                                                                                        32KB

                                                                                      • memory/3780-494-0x00007FFB12620000-0x00007FFB130E1000-memory.dmp

                                                                                        Filesize

                                                                                        10.8MB

                                                                                      • memory/3780-67-0x00007FFB12620000-0x00007FFB130E1000-memory.dmp

                                                                                        Filesize

                                                                                        10.8MB

                                                                                      • memory/3780-65-0x00007FFB12620000-0x00007FFB130E1000-memory.dmp

                                                                                        Filesize

                                                                                        10.8MB

                                                                                      • memory/3780-487-0x000000001B1F0000-0x000000001B200000-memory.dmp

                                                                                        Filesize

                                                                                        64KB

                                                                                      • memory/4032-452-0x0000000002380000-0x0000000002390000-memory.dmp

                                                                                        Filesize

                                                                                        64KB

                                                                                      • memory/4032-454-0x00007FFB12620000-0x00007FFB130E1000-memory.dmp

                                                                                        Filesize

                                                                                        10.8MB

                                                                                      • memory/4032-451-0x00007FFB12620000-0x00007FFB130E1000-memory.dmp

                                                                                        Filesize

                                                                                        10.8MB

                                                                                      • memory/4384-467-0x00007FFB12620000-0x00007FFB130E1000-memory.dmp

                                                                                        Filesize

                                                                                        10.8MB

                                                                                      • memory/4384-461-0x00007FFB12620000-0x00007FFB130E1000-memory.dmp

                                                                                        Filesize

                                                                                        10.8MB

                                                                                      • memory/4400-465-0x00007FFB12620000-0x00007FFB130E1000-memory.dmp

                                                                                        Filesize

                                                                                        10.8MB

                                                                                      • memory/4400-459-0x000000001B030000-0x000000001B040000-memory.dmp

                                                                                        Filesize

                                                                                        64KB

                                                                                      • memory/4400-458-0x00007FFB12620000-0x00007FFB130E1000-memory.dmp

                                                                                        Filesize

                                                                                        10.8MB

                                                                                      • memory/4812-485-0x00007FFB12620000-0x00007FFB130E1000-memory.dmp

                                                                                        Filesize

                                                                                        10.8MB

                                                                                      • memory/4812-484-0x0000000002A00000-0x0000000002A10000-memory.dmp

                                                                                        Filesize

                                                                                        64KB

                                                                                      • memory/4812-493-0x00007FFB12620000-0x00007FFB130E1000-memory.dmp

                                                                                        Filesize

                                                                                        10.8MB