Malware Analysis Report

2025-08-06 00:36

Sample ID 231206-rjfbbsfb72
Target SLOVOPACANA.exe
SHA256 c248d6ee2cf5cd6ca386c7a358abdd8ec408c6a63f998f22cbf896809568d90f
Tags
rat dcrat infostealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c248d6ee2cf5cd6ca386c7a358abdd8ec408c6a63f998f22cbf896809568d90f

Threat Level: Known bad

The file SLOVOPACANA.exe was found to be: Known bad.

Malicious Activity Summary

rat dcrat infostealer

Process spawned unexpected child process

DcRat

DCRat payload

Dcrat family

DCRat payload

Executes dropped EXE

Checks computer location settings

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Modifies registry class

Modifies registry key

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

Modifies data under HKEY_USERS

Suspicious use of SendNotifyMessage

Uses Task Scheduler COM API

Enumerates system info in registry

Suspicious behavior: GetForegroundWindowSpam

Kills process with taskkill

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-06 14:13

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-06 14:13

Reported

2023-12-06 14:30

Platform

win10v2004-20231127-en

Max time kernel

995s

Max time network

1001s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SLOVOPACANA.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\SLOVOPACANA.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000\Control Panel\International\Geo\Nation C:\ComAgentSession\blockbroker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000\Control Panel\International\Geo\Nation C:\Windows\Downloaded Program Files\winlogon.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Windows Photo Viewer\ja-JP\dllhost.exe C:\ComAgentSession\blockbroker.exe N/A
File created C:\Program Files (x86)\Windows Photo Viewer\ja-JP\5940a34987c991 C:\ComAgentSession\blockbroker.exe N/A
File created C:\Program Files\Windows Security\sppsvc.exe C:\ComAgentSession\blockbroker.exe N/A
File created C:\Program Files\Windows Security\0a1fd5f707cd16 C:\ComAgentSession\blockbroker.exe N/A
File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\OfficeClickToRun.exe C:\ComAgentSession\blockbroker.exe N/A
File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\e6c9b481da804f C:\ComAgentSession\blockbroker.exe N/A
File created C:\Program Files (x86)\Microsoft.NET\RedistList\TextInputHost.exe C:\ComAgentSession\blockbroker.exe N/A
File created C:\Program Files (x86)\Microsoft.NET\RedistList\22eafd247d37c3 C:\ComAgentSession\blockbroker.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Offline Web Pages\66fc9ff0ee96c2 C:\ComAgentSession\blockbroker.exe N/A
File created C:\Windows\DiagTrack\Settings\55b276f4edf653 C:\ComAgentSession\blockbroker.exe N/A
File created C:\Windows\PolicyDefinitions\it-IT\sppsvc.exe C:\ComAgentSession\blockbroker.exe N/A
File created C:\Windows\Downloaded Program Files\cc11b995f2a76d C:\ComAgentSession\blockbroker.exe N/A
File created C:\Windows\Fonts\sppsvc.exe C:\ComAgentSession\blockbroker.exe N/A
File created C:\Windows\Offline Web Pages\sihost.exe C:\ComAgentSession\blockbroker.exe N/A
File created C:\Windows\DiagTrack\Settings\StartMenuExperienceHost.exe C:\ComAgentSession\blockbroker.exe N/A
File created C:\Windows\PolicyDefinitions\it-IT\0a1fd5f707cd16 C:\ComAgentSession\blockbroker.exe N/A
File created C:\Windows\Downloaded Program Files\winlogon.exe C:\ComAgentSession\blockbroker.exe N/A
File created C:\Windows\Fonts\0a1fd5f707cd16 C:\ComAgentSession\blockbroker.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\system32\mspaint.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133463460008644647" C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14" C:\Windows\system32\mspaint.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" C:\Windows\system32\mspaint.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" C:\Windows\system32\mspaint.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\system32\mspaint.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\Windows\system32\mspaint.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "2" C:\Windows\system32\mspaint.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 C:\Windows\system32\mspaint.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295" C:\Windows\system32\mspaint.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1" C:\Windows\system32\mspaint.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" C:\Windows\system32\mspaint.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 C:\Windows\system32\mspaint.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 = 3a002e803accbfb42cdb4c42b0297fe99a87c641260001002600efbe11000000a1e16d385721da01a34005c96221da011410ef744f28da0114000000 C:\Windows\system32\mspaint.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" C:\Windows\system32\mspaint.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 3a002e8005398e082303024b98265d99428e115f260001002600efbe11000000a1e16d385721da01bbaf67cf6221da01bbaf67cf6221da0114000000 C:\Windows\system32\mspaint.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202 C:\Windows\system32\mspaint.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" C:\Windows\system32\mspaint.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257" C:\Windows\system32\mspaint.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 C:\Windows\system32\mspaint.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4" C:\Windows\system32\mspaint.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 C:\Windows\system32\mspaint.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" C:\Windows\system32\mspaint.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}" C:\Windows\system32\mspaint.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\NodeSlot = "3" C:\Windows\system32\mspaint.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" C:\Windows\system32\mspaint.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff C:\Windows\system32\mspaint.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2 C:\Windows\system32\mspaint.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}" C:\Windows\system32\mspaint.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1" C:\Windows\system32\mspaint.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings C:\Windows\system32\mspaint.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295" C:\Windows\system32\mspaint.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" C:\Windows\system32\mspaint.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff C:\Windows\system32\mspaint.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\NodeSlot = "2" C:\Windows\system32\mspaint.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg C:\Windows\system32\mspaint.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\system32\mspaint.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags C:\Windows\system32\mspaint.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} C:\Windows\system32\mspaint.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{885A186E-A440-4ADA-812B-DB871B942259}" C:\Windows\system32\mspaint.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} C:\Windows\system32\mspaint.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" C:\Windows\system32\mspaint.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Generic" C:\Windows\system32\mspaint.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" C:\Windows\system32\mspaint.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 C:\Windows\system32\mspaint.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 C:\Windows\system32\mspaint.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac04000000c8000000354b179bff40d211a27e00c04fc308710300000080000000354b179bff40d211a27e00c04fc308710200000080000000 C:\Windows\system32\mspaint.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff C:\Windows\system32\mspaint.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 C:\Windows\system32\mspaint.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202 C:\Windows\system32\mspaint.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell C:\Windows\system32\mspaint.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" C:\Windows\system32\mspaint.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\system32\mspaint.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 C:\Windows\system32\mspaint.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "6" C:\Windows\system32\mspaint.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" C:\Windows\system32\mspaint.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1" C:\Windows\system32\mspaint.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg C:\Windows\system32\mspaint.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Downloads" C:\Windows\system32\mspaint.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0100000000000000ffffffff C:\Windows\system32\mspaint.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\SLOVOPACANA.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\system32\mspaint.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Windows\system32\mspaint.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg C:\Windows\system32\mspaint.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListEx = ffffffff C:\Windows\system32\mspaint.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff C:\Windows\system32\mspaint.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\system32\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\ComAgentSession\blockbroker.exe N/A
N/A N/A C:\ComAgentSession\blockbroker.exe N/A
N/A N/A C:\Windows\Downloaded Program Files\winlogon.exe N/A
N/A N/A C:\Windows\Downloaded Program Files\winlogon.exe N/A
N/A N/A C:\Windows\Downloaded Program Files\winlogon.exe N/A
N/A N/A C:\Windows\Downloaded Program Files\winlogon.exe N/A
N/A N/A C:\Windows\Downloaded Program Files\winlogon.exe N/A
N/A N/A C:\Windows\Downloaded Program Files\winlogon.exe N/A
N/A N/A C:\Windows\Downloaded Program Files\winlogon.exe N/A
N/A N/A C:\Windows\Downloaded Program Files\winlogon.exe N/A
N/A N/A C:\Windows\Downloaded Program Files\winlogon.exe N/A
N/A N/A C:\Windows\Downloaded Program Files\winlogon.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Windows\system32\mspaint.exe N/A
N/A N/A C:\Windows\system32\mspaint.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Windows\Downloaded Program Files\winlogon.exe N/A
N/A N/A C:\Windows\Downloaded Program Files\winlogon.exe N/A
N/A N/A C:\Windows\Downloaded Program Files\winlogon.exe N/A
N/A N/A C:\Windows\Downloaded Program Files\winlogon.exe N/A
N/A N/A C:\Windows\Downloaded Program Files\winlogon.exe N/A
N/A N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\OfficeClickToRun.exe N/A
N/A N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\OfficeClickToRun.exe N/A
N/A N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\OfficeClickToRun.exe N/A
N/A N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\OfficeClickToRun.exe N/A
N/A N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\OfficeClickToRun.exe N/A
N/A N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\OfficeClickToRun.exe N/A
N/A N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\OfficeClickToRun.exe N/A
N/A N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\OfficeClickToRun.exe N/A
N/A N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\OfficeClickToRun.exe N/A
N/A N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\OfficeClickToRun.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Downloaded Program Files\winlogon.exe N/A
N/A N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\OfficeClickToRun.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\ComAgentSession\blockbroker.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Downloaded Program Files\winlogon.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\OfficeClickToRun.exe N/A
Token: SeDebugPrivilege N/A C:\odt\SearchApp.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\DiagTrack\Settings\StartMenuExperienceHost.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Microsoft.NET\RedistList\TextInputHost.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Offline Web Pages\sihost.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\mspaint.exe N/A
N/A N/A C:\Windows\system32\mspaint.exe N/A
N/A N/A C:\Windows\system32\mspaint.exe N/A
N/A N/A C:\Windows\system32\mspaint.exe N/A
N/A N/A C:\Windows\system32\mspaint.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4704 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\SLOVOPACANA.exe C:\Windows\SysWOW64\WScript.exe
PID 4704 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\SLOVOPACANA.exe C:\Windows\SysWOW64\WScript.exe
PID 4704 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\SLOVOPACANA.exe C:\Windows\SysWOW64\WScript.exe
PID 868 wrote to memory of 4504 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 868 wrote to memory of 4504 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 868 wrote to memory of 4504 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 4504 wrote to memory of 1796 N/A C:\Windows\SysWOW64\cmd.exe C:\ComAgentSession\blockbroker.exe
PID 4504 wrote to memory of 1796 N/A C:\Windows\SysWOW64\cmd.exe C:\ComAgentSession\blockbroker.exe
PID 1796 wrote to memory of 3780 N/A C:\ComAgentSession\blockbroker.exe C:\Windows\Downloaded Program Files\winlogon.exe
PID 1796 wrote to memory of 3780 N/A C:\ComAgentSession\blockbroker.exe C:\Windows\Downloaded Program Files\winlogon.exe
PID 3780 wrote to memory of 4424 N/A C:\Windows\Downloaded Program Files\winlogon.exe C:\Windows\SYSTEM32\cmd.exe
PID 3780 wrote to memory of 4424 N/A C:\Windows\Downloaded Program Files\winlogon.exe C:\Windows\SYSTEM32\cmd.exe
PID 3780 wrote to memory of 4984 N/A C:\Windows\Downloaded Program Files\winlogon.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 3780 wrote to memory of 4984 N/A C:\Windows\Downloaded Program Files\winlogon.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 4984 wrote to memory of 2764 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 4984 wrote to memory of 2764 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 3780 wrote to memory of 1040 N/A C:\Windows\Downloaded Program Files\winlogon.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 3780 wrote to memory of 1040 N/A C:\Windows\Downloaded Program Files\winlogon.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 4540 wrote to memory of 2824 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4540 wrote to memory of 2824 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4540 wrote to memory of 1120 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4540 wrote to memory of 1120 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4540 wrote to memory of 1120 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4540 wrote to memory of 1120 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4540 wrote to memory of 1120 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4540 wrote to memory of 1120 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4540 wrote to memory of 1120 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4540 wrote to memory of 1120 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4540 wrote to memory of 1120 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4540 wrote to memory of 1120 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4540 wrote to memory of 1120 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4540 wrote to memory of 1120 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4540 wrote to memory of 1120 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4540 wrote to memory of 1120 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4540 wrote to memory of 1120 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4540 wrote to memory of 1120 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4540 wrote to memory of 1120 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4540 wrote to memory of 1120 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4540 wrote to memory of 1120 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4540 wrote to memory of 1120 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4540 wrote to memory of 1120 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4540 wrote to memory of 1120 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4540 wrote to memory of 1120 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4540 wrote to memory of 1120 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4540 wrote to memory of 1120 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4540 wrote to memory of 1120 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4540 wrote to memory of 1120 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4540 wrote to memory of 1120 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4540 wrote to memory of 1120 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4540 wrote to memory of 1120 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4540 wrote to memory of 1120 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4540 wrote to memory of 1120 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4540 wrote to memory of 1120 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4540 wrote to memory of 1120 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4540 wrote to memory of 1120 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4540 wrote to memory of 1120 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4540 wrote to memory of 1120 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4540 wrote to memory of 1120 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4540 wrote to memory of 3188 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4540 wrote to memory of 3188 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4540 wrote to memory of 4064 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4540 wrote to memory of 4064 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4540 wrote to memory of 4064 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4540 wrote to memory of 4064 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\SLOVOPACANA.exe

"C:\Users\Admin\AppData\Local\Temp\SLOVOPACANA.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\ComAgentSession\J1Z3KeWJB1lM.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\ComAgentSession\FU70pek1lKzqNpW.bat" "

C:\ComAgentSession\blockbroker.exe

"C:\ComAgentSession\blockbroker.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Security\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Windows Security\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Security\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\Windows\Offline Web Pages\sihost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Windows\Offline Web Pages\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 8 /tr "'C:\Windows\Offline Web Pages\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Users\Public\AccountPictures\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Public\AccountPictures\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Users\Public\AccountPictures\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\Windows\DiagTrack\Settings\StartMenuExperienceHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Windows\DiagTrack\Settings\StartMenuExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\Windows\DiagTrack\Settings\StartMenuExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Windows\PolicyDefinitions\it-IT\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\PolicyDefinitions\it-IT\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Windows\PolicyDefinitions\it-IT\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\OfficeClickToRun.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\OfficeClickToRun.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\OfficeClickToRun.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Windows\Downloaded Program Files\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\Downloaded Program Files\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Windows\Downloaded Program Files\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\TrustedInstaller.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TrustedInstaller" /sc ONLOGON /tr "'C:\Users\Default User\TrustedInstaller.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\TrustedInstaller.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\TextInputHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\TextInputHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\TextInputHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Windows\Fonts\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\Fonts\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Windows\Fonts\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 6 /tr "'C:\odt\SearchApp.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\odt\SearchApp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 6 /tr "'C:\odt\SearchApp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "blockbrokerb" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\blockbroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "blockbroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\blockbroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "blockbrokerb" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\blockbroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\dllhost.exe'" /rl HIGHEST /f

C:\Windows\Downloaded Program Files\winlogon.exe

"C:\Windows\Downloaded Program Files\winlogon.exe"

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k UnistackSvcGroup

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\\3gUlVaPHfz.bat"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\owd0vlhs\owd0vlhs.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD994.tmp" "c:\Users\Admin\AppData\Local\Temp\owd0vlhs\CSC9EB42EC220444172B7EAC49DE9996981.TMP"

C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\OfficeClickToRun.exe

"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\OfficeClickToRun.exe"

C:\odt\SearchApp.exe

C:\odt\SearchApp.exe

C:\Windows\DiagTrack\Settings\StartMenuExperienceHost.exe

C:\Windows\DiagTrack\Settings\StartMenuExperienceHost.exe

C:\Program Files (x86)\Microsoft.NET\RedistList\TextInputHost.exe

"C:\Program Files (x86)\Microsoft.NET\RedistList\TextInputHost.exe"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wl1t251s\wl1t251s.cmdline"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffb132c9758,0x7ffb132c9768,0x7ffb132c9778

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1736 --field-trial-handle=1820,i,3329001855101908166,9547700532015157804,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2224 --field-trial-handle=1820,i,3329001855101908166,9547700532015157804,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 --field-trial-handle=1820,i,3329001855101908166,9547700532015157804,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3144 --field-trial-handle=1820,i,3329001855101908166,9547700532015157804,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3136 --field-trial-handle=1820,i,3329001855101908166,9547700532015157804,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4672 --field-trial-handle=1820,i,3329001855101908166,9547700532015157804,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3808 --field-trial-handle=1820,i,3329001855101908166,9547700532015157804,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4996 --field-trial-handle=1820,i,3329001855101908166,9547700532015157804,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5028 --field-trial-handle=1820,i,3329001855101908166,9547700532015157804,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5284 --field-trial-handle=1820,i,3329001855101908166,9547700532015157804,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5060 --field-trial-handle=1820,i,3329001855101908166,9547700532015157804,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4856 --field-trial-handle=1820,i,3329001855101908166,9547700532015157804,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4856 --field-trial-handle=1820,i,3329001855101908166,9547700532015157804,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb132c9758,0x7ffb132c9768,0x7ffb132c9778

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2168 --field-trial-handle=2016,i,5877464910147344589,12209923414115929204,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2880 --field-trial-handle=2016,i,5877464910147344589,12209923414115929204,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2872 --field-trial-handle=2016,i,5877464910147344589,12209923414115929204,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1904 --field-trial-handle=2016,i,5877464910147344589,12209923414115929204,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1684 --field-trial-handle=2016,i,5877464910147344589,12209923414115929204,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4608 --field-trial-handle=2016,i,5877464910147344589,12209923414115929204,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4732 --field-trial-handle=2016,i,5877464910147344589,12209923414115929204,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4892 --field-trial-handle=2016,i,5877464910147344589,12209923414115929204,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4676 --field-trial-handle=2016,i,5877464910147344589,12209923414115929204,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4584 --field-trial-handle=2016,i,5877464910147344589,12209923414115929204,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4940 --field-trial-handle=2016,i,5877464910147344589,12209923414115929204,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5248 --field-trial-handle=2016,i,5877464910147344589,12209923414115929204,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4700 --field-trial-handle=2016,i,5877464910147344589,12209923414115929204,131072 /prefetch:8

C:\Windows\Offline Web Pages\sihost.exe

"C:\Windows\Offline Web Pages\sihost.exe"

C:\Windows\system32\mspaint.exe

"C:\Windows\system32\mspaint.exe"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService

C:\Windows\system32\dashost.exe

dashost.exe {7a9b72e2-86d9-4028-8c086fd90d6660f6}

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1812 --field-trial-handle=2016,i,5877464910147344589,12209923414115929204,131072 /prefetch:2

C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\OfficeClickToRun.exe

"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\OfficeClickToRun.exe"

C:\Recovery\WindowsRE\csrss.exe

C:\Recovery\WindowsRE\csrss.exe

C:\Program Files (x86)\Windows Photo Viewer\ja-JP\dllhost.exe

"C:\Program Files (x86)\Windows Photo Viewer\ja-JP\dllhost.exe"

C:\Recovery\WindowsRE\blockbroker.exe

C:\Recovery\WindowsRE\blockbroker.exe

C:\Users\Default User\TrustedInstaller.exe

"C:\Users\Default User\TrustedInstaller.exe"

C:\Windows\DiagTrack\Settings\StartMenuExperienceHost.exe

C:\Windows\DiagTrack\Settings\StartMenuExperienceHost.exe

C:\odt\SearchApp.exe

C:\odt\SearchApp.exe

C:\Program Files (x86)\Microsoft.NET\RedistList\TextInputHost.exe

"C:\Program Files (x86)\Microsoft.NET\RedistList\TextInputHost.exe"

C:\Recovery\WindowsRE\spoolsv.exe

C:\Recovery\WindowsRE\spoolsv.exe

C:\Recovery\WindowsRE\dwm.exe

C:\Recovery\WindowsRE\dwm.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ezapyabp\ezapyabp.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1264.tmp" "c:\Users\Admin\AppData\Local\Temp\ezapyabp\CSC8743270E222B43319E1254467B67EFC.TMP"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c reg add HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem /v DisableTaskMgr /t REG_DWORD /d 1 /f & taskkill /f /im taskmgr.exe

C:\Windows\system32\reg.exe

reg add HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Windows\system32\taskkill.exe

taskkill /f /im taskmgr.exe

C:\Windows\Fonts\sppsvc.exe

C:\Windows\Fonts\sppsvc.exe

C:\Recovery\WindowsRE\sysmon.exe

C:\Recovery\WindowsRE\sysmon.exe

C:\Windows\Downloaded Program Files\winlogon.exe

"C:\Windows\Downloaded Program Files\winlogon.exe"

C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\OfficeClickToRun.exe

"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\OfficeClickToRun.exe"

C:\Windows\Offline Web Pages\sihost.exe

"C:\Windows\Offline Web Pages\sihost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 35.77.123.92.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 198.1.85.104.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 135.1.85.104.in-addr.arpa udp
US 8.8.8.8:53 a0892776.xsph.ru udp
RU 141.8.192.6:80 a0892776.xsph.ru tcp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 6.192.8.141.in-addr.arpa udp
RU 141.8.192.6:80 a0892776.xsph.ru tcp
US 8.8.8.8:53 192.240.110.104.in-addr.arpa udp
US 8.8.8.8:53 41.77.123.92.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 2.36.159.162.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 201.194.19.2.in-addr.arpa udp
US 8.8.8.8:53 217.194.19.2.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 208.143.182.52.in-addr.arpa udp
RU 141.8.192.6:80 a0892776.xsph.ru tcp
US 8.8.8.8:53 a0892776.xsph.ru udp
RU 141.8.192.6:80 a0892776.xsph.ru tcp
RU 141.8.192.6:80 a0892776.xsph.ru tcp
US 8.8.8.8:53 cxcs.microsoft.net udp
NL 23.206.86.216:443 cxcs.microsoft.net tcp
NL 88.221.24.24:443 www.bing.com tcp
US 8.8.8.8:53 24.24.221.88.in-addr.arpa udp
US 8.8.8.8:53 216.86.206.23.in-addr.arpa udp
RU 141.8.192.6:80 a0892776.xsph.ru tcp
US 8.8.8.8:53 www.google.com udp
NL 172.217.168.196:443 www.google.com udp
US 8.8.8.8:53 195.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 106.39.251.142.in-addr.arpa udp
US 8.8.8.8:53 196.168.217.172.in-addr.arpa udp
US 8.8.8.8:53 apis.google.com udp
US 108.177.96.100:443 apis.google.com udp
US 8.8.8.8:53 100.96.177.108.in-addr.arpa udp
US 8.8.8.8:53 clients2.google.com udp
NL 108.177.127.100:443 clients2.google.com udp
US 8.8.8.8:53 100.127.177.108.in-addr.arpa udp
NL 108.177.127.100:443 clients2.google.com tcp
N/A 224.0.0.251:5353 udp
NL 172.217.168.196:443 www.google.com udp
NL 172.217.168.196:443 www.google.com tcp
NL 108.177.127.100:443 clients2.google.com udp
NL 108.177.127.100:443 clients2.google.com tcp
US 8.8.8.8:53 183.2.85.104.in-addr.arpa udp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
US 8.8.8.8:53 c.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.f.f.ip6.arpa udp
US 8.8.8.8:53 beacons.gcp.gvt2.com udp
NL 216.58.214.3:443 beacons.gcp.gvt2.com tcp
US 8.8.8.8:53 e2c29.gcp.gvt2.com udp
US 34.106.86.104:443 e2c29.gcp.gvt2.com tcp
US 8.8.8.8:53 3.214.58.216.in-addr.arpa udp
US 8.8.8.8:53 104.86.106.34.in-addr.arpa udp
RU 141.8.192.6:80 a0892776.xsph.ru tcp
NL 216.58.214.3:443 beacons.gcp.gvt2.com udp
RU 141.8.192.6:80 a0892776.xsph.ru tcp
RU 141.8.192.6:80 a0892776.xsph.ru tcp
RU 141.8.192.6:80 a0892776.xsph.ru tcp
RU 141.8.192.6:80 a0892776.xsph.ru tcp

Files

C:\ComAgentSession\J1Z3KeWJB1lM.vbe

MD5 f83a0a294a0f7c5ec97371c705cbfec9
SHA1 4cf78ab1616432c1f8c714f122a79350af8a53f5
SHA256 5a23f943e2e3054bbfad3f9b71c5c03498c78a510a758511bfca0f34f287724f
SHA512 9e127673927c5a69d1ab4022046c57135f961ed1ce1b8974a47550d1555b43762008a7b6ce3ba220ab917cb2466703dddda3add1ca784b4c8d5b5d0cdfb1c620

C:\ComAgentSession\FU70pek1lKzqNpW.bat

MD5 db5bc92a508253027eeb8b1703425243
SHA1 f17f65ab6ee1d0d59092eecd0c9c89288adbb355
SHA256 6a48edfa769d6420962994aa84e6b261734fd289860251c12eff0d6b9994e153
SHA512 5637eab1c2f15f80b7a62694a27d0cd2649c183625119b3bd0cfcc42d49c9693b5708b098f18d0084509079601f1893f09079d7580d3b01d74fa9095101e4521

C:\ComAgentSession\blockbroker.exe

MD5 2f055355f956c24ffc2276a84e1f24b5
SHA1 e8c6619057c583077b0f171280212c548f54d263
SHA256 0ce4d853accc7935de440653d0d593d3e0bed2782044d46cae0ac1849bb60553
SHA512 f813326257f0ff83208b69abd93e6034fc2393e1ee84ff717cdd0a4c698daa9fe8b9f0314d7aefa3732b487fe2ad80d00e3e7425d5638bc2cfd02c3e481146e1

C:\ComAgentSession\blockbroker.exe

MD5 2f055355f956c24ffc2276a84e1f24b5
SHA1 e8c6619057c583077b0f171280212c548f54d263
SHA256 0ce4d853accc7935de440653d0d593d3e0bed2782044d46cae0ac1849bb60553
SHA512 f813326257f0ff83208b69abd93e6034fc2393e1ee84ff717cdd0a4c698daa9fe8b9f0314d7aefa3732b487fe2ad80d00e3e7425d5638bc2cfd02c3e481146e1

memory/1796-12-0x0000000000110000-0x00000000001E6000-memory.dmp

memory/1796-13-0x00007FFB12620000-0x00007FFB130E1000-memory.dmp

memory/1796-14-0x00000000009D0000-0x00000000009E0000-memory.dmp

C:\Program Files\Windows Security\sppsvc.exe

MD5 2f055355f956c24ffc2276a84e1f24b5
SHA1 e8c6619057c583077b0f171280212c548f54d263
SHA256 0ce4d853accc7935de440653d0d593d3e0bed2782044d46cae0ac1849bb60553
SHA512 f813326257f0ff83208b69abd93e6034fc2393e1ee84ff717cdd0a4c698daa9fe8b9f0314d7aefa3732b487fe2ad80d00e3e7425d5638bc2cfd02c3e481146e1

C:\Windows\Downloaded Program Files\winlogon.exe

MD5 2f055355f956c24ffc2276a84e1f24b5
SHA1 e8c6619057c583077b0f171280212c548f54d263
SHA256 0ce4d853accc7935de440653d0d593d3e0bed2782044d46cae0ac1849bb60553
SHA512 f813326257f0ff83208b69abd93e6034fc2393e1ee84ff717cdd0a4c698daa9fe8b9f0314d7aefa3732b487fe2ad80d00e3e7425d5638bc2cfd02c3e481146e1

C:\Windows\Downloaded Program Files\winlogon.exe

MD5 2f055355f956c24ffc2276a84e1f24b5
SHA1 e8c6619057c583077b0f171280212c548f54d263
SHA256 0ce4d853accc7935de440653d0d593d3e0bed2782044d46cae0ac1849bb60553
SHA512 f813326257f0ff83208b69abd93e6034fc2393e1ee84ff717cdd0a4c698daa9fe8b9f0314d7aefa3732b487fe2ad80d00e3e7425d5638bc2cfd02c3e481146e1

memory/3780-65-0x00007FFB12620000-0x00007FFB130E1000-memory.dmp

memory/1796-64-0x00007FFB12620000-0x00007FFB130E1000-memory.dmp

memory/3780-66-0x000000001B1F0000-0x000000001B200000-memory.dmp

memory/3780-67-0x00007FFB12620000-0x00007FFB130E1000-memory.dmp

memory/512-68-0x0000025C72440000-0x0000025C72450000-memory.dmp

memory/512-84-0x0000025C72540000-0x0000025C72550000-memory.dmp

memory/512-100-0x0000025C7A820000-0x0000025C7A821000-memory.dmp

memory/512-102-0x0000025C7A850000-0x0000025C7A851000-memory.dmp

memory/512-103-0x0000025C7A850000-0x0000025C7A851000-memory.dmp

memory/512-104-0x0000025C7A960000-0x0000025C7A961000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3gUlVaPHfz.bat

MD5 3df5329028ec13c367e1283a462b0dab
SHA1 4294d5cb78c980c90cf4da0a540943d931aed884
SHA256 945cbff2edfc91f9dc83d777f498d9168e3ff0b9495ca91c97abaf85e226a85c
SHA512 b7a8f8117d82737ea9506285f4524ca2053bfbe7f24009b2036ebdc8ab6b4b99d9181889a318a3c284c4310be5b39fdbda9cd312bf2a02459d3b90acc06a6f49

\??\c:\Users\Admin\AppData\Local\Temp\owd0vlhs\owd0vlhs.cmdline

MD5 a6743587a682bc9723b2f65c041be508
SHA1 68d08bb35141c5b7be1796fe373c294bd156b665
SHA256 d7292c7d79337214d67a68961cc174fc321b6f30484a64eec270d8204bcce874
SHA512 97bcb92168c3afc01cf77ef44267bdc28e8f23cb0706794c8f6955a7cc64ddc4eedeb9f8bcbd56a085f1d40de94b904103e949365f4c429b1e5f2bb06d83f15b

\??\c:\Users\Admin\AppData\Local\Temp\owd0vlhs\owd0vlhs.0.cs

MD5 ee98b18b7a7a0cb24a9564ee3b770530
SHA1 a9d5245c3a1835eae87d8e98faf1dfbd33e2a633
SHA256 3a72cbbb3032641f66650d753f9dd4c61659fc9e0e1f94bf7fce8b41a5ce767a
SHA512 39f2a571431d73eb627094afac4ccbdde7acef284c623e21ef7c7e1d6d12f4d897610479c9eaec206472d8ff9c03232c6385895a8cd1766e44f733bb5f7f9037

\??\c:\Users\Admin\AppData\Local\Temp\owd0vlhs\CSC9EB42EC220444172B7EAC49DE9996981.TMP

MD5 3ed69fcf43025df50e7ff3fa77a8dd97
SHA1 0bc73e7407ae4e7743f84bf0e285413a53000548
SHA256 0466286ef439f17314d6ad63c99f2d217c2c67cc40052b0a15347702936d0f49
SHA512 452ce93216b6d5e95d095623fd2e2c113b3bd91b49904346c7367550cac28969953b2f256d8e6d70fda6ccac1944c9f8d35c43a449b00d7b46f33c21e7f1c4b2

C:\Users\Admin\AppData\Local\Temp\RESD994.tmp

MD5 d0faded3acf408ebb97a11c352c760ef
SHA1 598ea636de9569e4aba34bdaba0a4b8f7ec9d7bc
SHA256 da8cb33f5a58c362620386d472bcd555da42dd58f28afa453f3e358fdc9a5cd0
SHA512 2352bce292715ea07487f060ffe13696a754ede18353366c5f69441561c80271992afe47a16faf9cc1fb49c25eae7ce5a845fa7a04559253209958fe0a2ac98a

C:\Users\Admin\AppData\Local\Temp\owd0vlhs\owd0vlhs.dll

MD5 a33e031116fc91cd8f03aa3850e395a0
SHA1 1e4466087f9acd00dbd7987572e6d77893e34296
SHA256 63da7180b93899c5c144f865f239d3a51812055620e7a204be6534661f5de073
SHA512 5955c5f6f73e23a637a139b4530ebb2b47f9bddb78db7f7b78eadf507342a35c34625f244ba08d03eb8dd35fe7cd9da9e81d72a9635a6de78e768f8bae33a1e8

memory/3780-122-0x0000000000BC0000-0x0000000000BC8000-memory.dmp

C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\OfficeClickToRun.exe

MD5 2f055355f956c24ffc2276a84e1f24b5
SHA1 e8c6619057c583077b0f171280212c548f54d263
SHA256 0ce4d853accc7935de440653d0d593d3e0bed2782044d46cae0ac1849bb60553
SHA512 f813326257f0ff83208b69abd93e6034fc2393e1ee84ff717cdd0a4c698daa9fe8b9f0314d7aefa3732b487fe2ad80d00e3e7425d5638bc2cfd02c3e481146e1

C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\OfficeClickToRun.exe

MD5 2f055355f956c24ffc2276a84e1f24b5
SHA1 e8c6619057c583077b0f171280212c548f54d263
SHA256 0ce4d853accc7935de440653d0d593d3e0bed2782044d46cae0ac1849bb60553
SHA512 f813326257f0ff83208b69abd93e6034fc2393e1ee84ff717cdd0a4c698daa9fe8b9f0314d7aefa3732b487fe2ad80d00e3e7425d5638bc2cfd02c3e481146e1

memory/744-126-0x00007FFB12620000-0x00007FFB130E1000-memory.dmp

memory/744-127-0x000000001B660000-0x000000001B670000-memory.dmp

memory/744-129-0x00007FFB12620000-0x00007FFB130E1000-memory.dmp

C:\Windows\DiagTrack\Settings\StartMenuExperienceHost.exe

MD5 2f055355f956c24ffc2276a84e1f24b5
SHA1 e8c6619057c583077b0f171280212c548f54d263
SHA256 0ce4d853accc7935de440653d0d593d3e0bed2782044d46cae0ac1849bb60553
SHA512 f813326257f0ff83208b69abd93e6034fc2393e1ee84ff717cdd0a4c698daa9fe8b9f0314d7aefa3732b487fe2ad80d00e3e7425d5638bc2cfd02c3e481146e1

C:\Windows\DiagTrack\Settings\StartMenuExperienceHost.exe

MD5 2f055355f956c24ffc2276a84e1f24b5
SHA1 e8c6619057c583077b0f171280212c548f54d263
SHA256 0ce4d853accc7935de440653d0d593d3e0bed2782044d46cae0ac1849bb60553
SHA512 f813326257f0ff83208b69abd93e6034fc2393e1ee84ff717cdd0a4c698daa9fe8b9f0314d7aefa3732b487fe2ad80d00e3e7425d5638bc2cfd02c3e481146e1

C:\odt\SearchApp.exe

MD5 2f055355f956c24ffc2276a84e1f24b5
SHA1 e8c6619057c583077b0f171280212c548f54d263
SHA256 0ce4d853accc7935de440653d0d593d3e0bed2782044d46cae0ac1849bb60553
SHA512 f813326257f0ff83208b69abd93e6034fc2393e1ee84ff717cdd0a4c698daa9fe8b9f0314d7aefa3732b487fe2ad80d00e3e7425d5638bc2cfd02c3e481146e1

C:\odt\SearchApp.exe

MD5 2f055355f956c24ffc2276a84e1f24b5
SHA1 e8c6619057c583077b0f171280212c548f54d263
SHA256 0ce4d853accc7935de440653d0d593d3e0bed2782044d46cae0ac1849bb60553
SHA512 f813326257f0ff83208b69abd93e6034fc2393e1ee84ff717cdd0a4c698daa9fe8b9f0314d7aefa3732b487fe2ad80d00e3e7425d5638bc2cfd02c3e481146e1

memory/2844-134-0x00007FFB12620000-0x00007FFB130E1000-memory.dmp

memory/2844-135-0x000000001B7B0000-0x000000001B7C0000-memory.dmp

memory/1244-136-0x000000001B330000-0x000000001B340000-memory.dmp

memory/1244-137-0x00007FFB12620000-0x00007FFB130E1000-memory.dmp

C:\Program Files (x86)\Microsoft.NET\RedistList\TextInputHost.exe

MD5 2f055355f956c24ffc2276a84e1f24b5
SHA1 e8c6619057c583077b0f171280212c548f54d263
SHA256 0ce4d853accc7935de440653d0d593d3e0bed2782044d46cae0ac1849bb60553
SHA512 f813326257f0ff83208b69abd93e6034fc2393e1ee84ff717cdd0a4c698daa9fe8b9f0314d7aefa3732b487fe2ad80d00e3e7425d5638bc2cfd02c3e481146e1

C:\Program Files (x86)\Microsoft.NET\RedistList\TextInputHost.exe

MD5 2f055355f956c24ffc2276a84e1f24b5
SHA1 e8c6619057c583077b0f171280212c548f54d263
SHA256 0ce4d853accc7935de440653d0d593d3e0bed2782044d46cae0ac1849bb60553
SHA512 f813326257f0ff83208b69abd93e6034fc2393e1ee84ff717cdd0a4c698daa9fe8b9f0314d7aefa3732b487fe2ad80d00e3e7425d5638bc2cfd02c3e481146e1

memory/788-140-0x00007FFB12620000-0x00007FFB130E1000-memory.dmp

memory/788-141-0x000000001B340000-0x000000001B350000-memory.dmp

memory/1244-144-0x00007FFB12620000-0x00007FFB130E1000-memory.dmp

memory/2844-145-0x00007FFB12620000-0x00007FFB130E1000-memory.dmp

memory/788-147-0x00007FFB12620000-0x00007FFB130E1000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\wl1t251s\wl1t251s.cmdline

MD5 3c7cf5932df62f9cace43369e69c9cc2
SHA1 6b81ff39623ffa65e4a8f0db83556bd0815a837f
SHA256 77746c97acd6d4928c571eea76a10e80fe9c93cf615e3b49cbfe4bdd78d9931b
SHA512 99f0c1908d29481730c783b4a12002573719c6df5de5a84909896ac0e301a4ba3c2080a10fc3ed772d3c0b193162b5f18eb18fe91f33d45f29a4773a4ebfe478

\??\c:\Users\Admin\AppData\Local\Temp\wl1t251s\wl1t251s.0.cs

MD5 d4066cc7fa7bb70669af47eac69f3ef0
SHA1 642d369cc12b4f33ba97b608df5e511640c1ee96
SHA256 cb8e3091cc67c7a0dd5aad57baae2f8b7fb33a83dd7f8a65a39cf44a67684999
SHA512 d9d2574ec5a1bb4b871a461495bcb803ddef0f16c72c3532c4cde1b05dd56c0f93f32b3d0f84e0df75dff010d4e080637982a6570e00fc4bd3e68077049086eb

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

MD5 99914b932bd37a50b983c5e7c90ae93b
SHA1 bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA256 44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA512 27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 223954b6b921b05bf59b57f3db55c370
SHA1 d5213e96c5f6c8cf104eed7ce56c50d22e84519e
SHA256 f518330912fbb405e648111e511c48b73c375b911a322be9f8498727d8a45cef
SHA512 0421e9076193112fa0a5c17591eb1bc8174048f97de37be8601e782add7ad326c541fbe95f65b9b09967e7d946377f9f276cacdb2c90f356ded9dbb58134686a

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 e0fca882f352b1f9152d986cc304d217
SHA1 faa3bececc3486288643cc12b1a25920a42f3749
SHA256 036cd8dbf47cfe76e985ae3054692155f9beab812b81a2b8c71f91764edb6cd7
SHA512 0cacd787d3d579a7ba778b744fdd032bf10d04fa11c9c67c0975ad9cf7e7865f48415dd4a2bc5eeda2a1b6a6d6ec8c36e78c9777cecc3d852d42422278928438

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 7df9378cd068117811256fbd614f1cca
SHA1 f970084108e2b2020b73f8bb4b53f235a3f20149
SHA256 7135e9def2674879e71527bd66db955711abef935673bdbde08cdad398bef493
SHA512 f8cad8b16e908cb7541ebd2fc23d3eae4fe79f88bb5c334a85c244a330abad0f7f785824a4540ee8487f6cc96249f0058b2dc442b55a7f941312216306ee1729

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 0c7058e843c3cf4b0f485b9f526db6d0
SHA1 fc8779e60131c2c8bdcf212e85f531083e3debfc
SHA256 63c2ff80e29363b8d3647bbbed66932346620c9c98b79120f8156c194cd5080e
SHA512 77db9c3f702e287c3686b68ee1eefd7d0c00465ec88cf7b47ae1d4e9e82d67840f80fbab20d2892a46096fb8a2ebe04f6a2ed5f24dbc2f65401d5fc23ce64822

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

MD5 2a1a540b49c7b8cc78b580848772ca36
SHA1 0befd7cce06f97f3b62dd7b75f331aa3240b990f
SHA256 9f7fd5be2ed08f1955745758422d7e3cc8f5c249de32d3932c58093560892921
SHA512 bf0dc17dd0bcdc2cae7827989c8f98b62962e4002f4e93e8f8161173d27089a21afd7d4a102d432a7b19bbdaa7864abee6988dcc590176d7e7a393c2e419005c

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 0134421278bd8196c677004e39af44d1
SHA1 4c225a95b716ad79b2cf28c09e11b7592a46eb41
SHA256 84d732f79aa2d96d704a697f394b1b9fce6917ffab648423e26269d69424c3a8
SHA512 8248eab16c4f35469ee6dbb7fad0dfd7c9e2f4a6ccaf6be040f6d34952942c6d9b6f1b3c28c1dcf1d04b77a285eec0c8e507c78e352239bb988f5c6c4210a262

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 6e5a0fb5efdcc035796b1e6e203bbbc1
SHA1 fee75b4967e6cfd4f06c36270f273f167a05b047
SHA256 76afc4a4e96879c25debe396e33347191b89b953a3ef9c6e01c97440cca96d99
SHA512 9c84371aa89ef3aaadcd45f8095ad79f84d7135bf1f83009bf85fd3377f3c33a65873abb1202b3e6e45e5c757efd5a46b7a71d16e5ef4a29cb512865892760c8

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

MD5 f50f89a0a91564d0b8a211f8921aa7de
SHA1 112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256 b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512 bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

MD5 66a053d6739fe940ec8c86d7d7edf5ca
SHA1 7bca498903f551bd30fadaff9aea89f69be58890
SHA256 34f812910e594035498af16fd84f5da4e2380f7ad86f77ba2b4aa8942550ccd1
SHA512 e15d98456693fe4cafebbbe5a0a60259b9b44e086269efcd375366e6a043d20c7c585a4f550720fe96548a535df1a606a7d606bf2c0c12b8a1eaecfef40ef740

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

MD5 66a053d6739fe940ec8c86d7d7edf5ca
SHA1 7bca498903f551bd30fadaff9aea89f69be58890
SHA256 34f812910e594035498af16fd84f5da4e2380f7ad86f77ba2b4aa8942550ccd1
SHA512 e15d98456693fe4cafebbbe5a0a60259b9b44e086269efcd375366e6a043d20c7c585a4f550720fe96548a535df1a606a7d606bf2c0c12b8a1eaecfef40ef740

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 0c7058e843c3cf4b0f485b9f526db6d0
SHA1 fc8779e60131c2c8bdcf212e85f531083e3debfc
SHA256 63c2ff80e29363b8d3647bbbed66932346620c9c98b79120f8156c194cd5080e
SHA512 77db9c3f702e287c3686b68ee1eefd7d0c00465ec88cf7b47ae1d4e9e82d67840f80fbab20d2892a46096fb8a2ebe04f6a2ed5f24dbc2f65401d5fc23ce64822

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Variations

MD5 bc6142469cd7dadf107be9ad87ea4753
SHA1 72a9aa05003fab742b0e4dc4c5d9eda6b9f7565c
SHA256 b26da4f8c7e283aa74386da0229d66af14a37986b8ca828e054fc932f68dd557
SHA512 47d1a67a16f5dc6d50556c5296e65918f0a2fcad0e8cee5795b100fe8cd89eaf5e1fd67691e8a57af3677883a5d8f104723b1901d11845b286474c8ac56f6182

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_1

MD5 d980d17895283a0e1d8d8a256269d284
SHA1 005260b0d7167a7444a7a38631d828b49f5292db
SHA256 5ef8424c5a73a9a074e2ad202f3f37fc7ee6d733b38a4695c168f1c09a5885f9
SHA512 16adc23fe985cdafda6edf4cdd0d3263b2dd043397dfff018339a084cbefbba77f5b1ff271da486eccc88ba9f6ca06170770e3a9f085d25f2bb242c42da83e71

\??\pipe\crashpad_2924_YQCLSQGTYKHMNCMG

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

MD5 f50f89a0a91564d0b8a211f8921aa7de
SHA1 112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256 b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512 bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

MD5 99914b932bd37a50b983c5e7c90ae93b
SHA1 bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA256 44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA512 27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG

MD5 d118ac27f5c37c6511a9490ba6ac454e
SHA1 ec400e0eb0a480a052f0bca2ec87d23e3f84c936
SHA256 77e3ba641f04eb473d234d3bdba450ac0a2559a6dd5dcc02399e69625fe07365
SHA512 e150e7e7a853ad68d27cac44026fb76a8d25aaeb47fcdf2e78ff9d5bcfe97629ee97fff7afa37e5799c70912d0d860abdcd88a406e23bea38bc3e9b61f28f0c2

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

MD5 f50f89a0a91564d0b8a211f8921aa7de
SHA1 112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256 b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512 bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000003.log

MD5 f98defe17a8e79ea97a0ea9e1f2fd717
SHA1 c09a3b2399f00f62915b97d5e8f04ffdbb9ff200
SHA256 5474c5a6cbf3c417b8fa8202aeed419d12038b81449674aad6cb20781843a81d
SHA512 4bd52e7581c40b63e41df8d6521a3eb38ba8f1573ee193e4878a4af0f56db239b68e0faa1b0c31c8d7a9dfea8798be5649a42a604b0a25961e5a31caf3fb735e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG

MD5 935f2136b75f27769ccc7e5cda60eb27
SHA1 480047af7d8b544cb45e713283ff3c39d9470340
SHA256 10d421e27b815c3835ccff890a2be9fb834014a37bce460dfd22ceb9e2cf00f6
SHA512 45559bb83faf2a8d615e5cc7b88e44ab3ab796a65828dd995bb0497591fb7b29aff0ff41c8892e370e112443a6744237bd1707ca2204ae282c55c9fbd761c810

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOG

MD5 86efaf1a8666926f0e6efa7f7a27bb6c
SHA1 f39351820a7d988cf72852c886565ee895f9917d
SHA256 7738f249275e5133c18d8006e56e540ff78a32f22d7d2ddddb24bf9b95e0b9c2
SHA512 96ed49f9a23cbb314cfb14129dbc1fc707b37fa9fce57787ef9a9682d6f51c1a6b7b3fe379dfad22c50b7231eaa8613f1d0ad8c1df5fcd238ba897c1919b1030

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 7df9378cd068117811256fbd614f1cca
SHA1 f970084108e2b2020b73f8bb4b53f235a3f20149
SHA256 7135e9def2674879e71527bd66db955711abef935673bdbde08cdad398bef493
SHA512 f8cad8b16e908cb7541ebd2fc23d3eae4fe79f88bb5c334a85c244a330abad0f7f785824a4540ee8487f6cc96249f0058b2dc442b55a7f941312216306ee1729

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Reporting and NEL-journal

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Reporting and NEL

MD5 8dd8360a04d0627d6ee2f9c8c2b6d233
SHA1 4367fbe3fa5374554a29f239b0eca798d408c5aa
SHA256 efd13aaf071384b65a9e13b39ac2e0a95f6b4123ed97a7f32be4ef7cfa5236d8
SHA512 e6ba8202016b8f83ef301277ddb24a3417220c3eebffb1413f40f5e689d8ca6ac8f26ad8ff223652c1cc8b6d06f83202171a7456d92d37d9ee086d9b96559d87

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 6e5a0fb5efdcc035796b1e6e203bbbc1
SHA1 fee75b4967e6cfd4f06c36270f273f167a05b047
SHA256 76afc4a4e96879c25debe396e33347191b89b953a3ef9c6e01c97440cca96d99
SHA512 9c84371aa89ef3aaadcd45f8095ad79f84d7135bf1f83009bf85fd3377f3c33a65873abb1202b3e6e45e5c757efd5a46b7a71d16e5ef4a29cb512865892760c8

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000008

MD5 929729aa7cff46b3dad2f748a57af24c
SHA1 81aa5db7dd63c79e23ccd23bf2520ab994295f2e
SHA256 3c63e6c7fa25849799d08bf54988bfb3b77b1d1eebb1e55a94b64995850cba2f
SHA512 a10eaa6f2708b683bd43295b9c3da5840c0eb6d8a6b9e1922a534270fecbc0dcdb4cdcc28768df292a06f6210885b510254bdca17e5b3c507b0337fe7dc3d743

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000007

MD5 5d05ba495d37acd79c70e5b557a0c16c
SHA1 e96ad98168fa375dea9c37c8a3263437224300a7
SHA256 21b00ea3a3278814e1e425f24bdeb0fdd79f9cbef6a4417648e711c90fb1660d
SHA512 90e9777de33256df5104001b3c76ba5c52dd71c883661e0cfb02426d45bfd805cff05bae308589f3d1a451f5163afe59ca6a3107ef0b9343c10b5c436cfb2cae

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000006

MD5 f5118dd18af12aba720339dd42830c08
SHA1 0ed013d68aea57a1f587fe47e72464f84dc3994a
SHA256 c977fccad202c62d07cca71375b7f710cf97a2679d71e9083f529a38d4e68dcc
SHA512 8a33bbfe4488d06b47c9664df2832292adc6060a99baf8bda68a751e501a7f61f15825a0e0fba85064f574539de09279b48927d154f4f366de5fec2400c673d9

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000005

MD5 344195b3134218414f9ec76d65c462b9
SHA1 13e80dc8ae020fb91259d072d939cabd038fa2ab
SHA256 e9305ffbcf6a27bac5113d58d0f491b8caab480c22d3d63268e14f6d59a45782
SHA512 66e8c955f8272ef785536a7e8cc3a3b160cd27520f5a835a3846cc513c5956d022a683089a42320dfd8c04e09998ddfc759a9d33aea271b88355765ed315f175

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_3

MD5 c400056b2ea08acaae9db4bb506bcf76
SHA1 26c5760d7c7f7f37ac3211c6d5a491fa002926b7
SHA256 01e0b5c234c9ed4fed2d1eb9bb6c1e22cbbcc47efe737632a0bbafdaa99d5cf2
SHA512 c61391c3cc6db7683039fd113e7aeaa5e9357ccafc1701b9ff49354699aba58ab43fd3c35916aef6a954209c2bb7f4dbd1fbdc946b53c90c1ba1d952e4a81835

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_0

MD5 51668952c3a3ab36426b1944f3728e46
SHA1 fab8bd955484c9bfe2670adf2eb9c58b63006788
SHA256 357976c65f912707b145efd874990414a2722f485f3410f91bfd22c8969ccda9
SHA512 0ab04d7ef2e8102dcf5cb173c3d52e2ac5a5c2c5259ecf385589b2537bbc4e2f95661d46be5a5ea147a6b9d07d61c95ff5f65badcff446a29acc2b24fdc7a31d

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Last Version

MD5 9eae63c7a967fc314dd311d9f46a45b7
SHA1 caba9c2c93acfe0b9ceb9ab19b992b0fc19c71cf
SHA256 4288925b0cf871c7458c22c46936efb0e903802feb991a0e1803be94ca6c251d
SHA512 bed924bff236bf5b6ce1df1db82e86c935e5830a20d9d24697efd82ca331e30604db8d04b0d692ec8541ec6deb2225bcc7d805b79f2db5726642198ecf6348b8

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

MD5 2a1a540b49c7b8cc78b580848772ca36
SHA1 0befd7cce06f97f3b62dd7b75f331aa3240b990f
SHA256 9f7fd5be2ed08f1955745758422d7e3cc8f5c249de32d3932c58093560892921
SHA512 bf0dc17dd0bcdc2cae7827989c8f98b62962e4002f4e93e8f8161173d27089a21afd7d4a102d432a7b19bbdaa7864abee6988dcc590176d7e7a393c2e419005c

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 0134421278bd8196c677004e39af44d1
SHA1 4c225a95b716ad79b2cf28c09e11b7592a46eb41
SHA256 84d732f79aa2d96d704a697f394b1b9fce6917ffab648423e26269d69424c3a8
SHA512 8248eab16c4f35469ee6dbb7fad0dfd7c9e2f4a6ccaf6be040f6d34952942c6d9b6f1b3c28c1dcf1d04b77a285eec0c8e507c78e352239bb988f5c6c4210a262

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

MD5 f50f89a0a91564d0b8a211f8921aa7de
SHA1 112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256 b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512 bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 b387506d1d609cdeaacf83ed5064deb2
SHA1 6b0593bc8f4c07496cd6baab6298b5b6086310dd
SHA256 bf9944b7bebe993bf81246722865fb2d0060408f3ec4c111f2eeb8fef1a78997
SHA512 fc18fd97f40b1ce05cdc7d286de08fa15c1474633ebffa912bd7018d6c1085a66dd028a9ea53a98f219de4f1e99de489847f5dcde46efaad46f1cad8c3056a1c

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 95055c1bfc7002c46e872e65649db4f1
SHA1 d752df17205c45608cc6eb60560fcc2a12591221
SHA256 dffe9d282d6d6c7e87242224de65c98d3e0bd92eccb7dac4be217091d33b6bc4
SHA512 db39055e77e1d1f20c9135becf7957634479257170c422e78eedd9ec33237c3660e47faec43c99e9c2586fc8010793490cbc14326e4690005b33ac5682c6fa90

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 5e82967f9315957f704c066ec7a860d9
SHA1 4e2fa8f5e8eebc714ba54958019f0f45517bbc70
SHA256 daeb6266dc42a3209f5ddbf6cb86c4c5097236690f0dbe672dd462c014d98532
SHA512 d1cbd0f484ab1da92a1e129a961bdf5d5d844d5835ae47cfb121f534b3bb1e2615b2300e60029b2bb322dd34a1dc0741b66aeeb4d9510fc1833cb2a47c1a5e7f

memory/2956-372-0x00007FFB12620000-0x00007FFB130E1000-memory.dmp

memory/2956-373-0x0000000002C70000-0x0000000002C80000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\sihost.exe.log

MD5 baf55b95da4a601229647f25dad12878
SHA1 abc16954ebfd213733c4493fc1910164d825cac8
SHA256 ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA512 24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

memory/2956-377-0x00007FFB12620000-0x00007FFB130E1000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 f45910e8ebe9f0df6e5ef903df0657e1
SHA1 f924a2c44cfa1412c05d9e4da383934da2a1ba9c
SHA256 18f41bf18c4df300bc34ecde651f6b6b47d5378776bdc1e369d2def06e510aec
SHA512 aed953f6cffcf893d48264b5c6429f1edbe8c815e7f8180827529b5df1dc5f53c69fc1e47da624c0bc6c94c2b0981c8dd221dad89be023f3fc48d1176fd451f4

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 ca0f788e62d611d48989651496d0362b
SHA1 625725b3b1f71c2e3d2cbfc15c9488090049a76f
SHA256 59981c1aa6ee94a24b2aca33ebf581d69c2cd4cf3d5f86217961a07fab442219
SHA512 0c75767f4ba3c95273de18c51fb1d50e9795e97daf23fd99acf31079583befde873d9c7ab2db7793aa1a9e7babbc02679cd658d6e8c3b05c65d224b04a8808f3

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 43a86868b757012518d4963cb542d5fe
SHA1 e79c4540f89d45f526ea5c8ca189b31f39fbb338
SHA256 2f927cce18ea6bd2b9094704ccfca95d5b4de7c02254b1d899ef9f4029357e28
SHA512 f1cef761b22d4ad3ec24769c65e12ff1ebd4727d2a6a8c22c530cc1f13c110ed684cdd9e535726890b1969222e008e0d4574a5a4f284f2a8090c5b9a87f6cb90

C:\Users\Admin\AppData\Local\Temp\Untitled.png

MD5 8b54f4a71994d75f03d925e39b270266
SHA1 1cc3fb083cecb12eb9ea7a2296c88e68cd8ce7f8
SHA256 8fa966daba967f094792660843018f290ff549dbed28a9c02e8cffd795f08c76
SHA512 16291f11162869bb7a9958b851f79bad6af4c90376fb98d111debe4536c9d4eda9738be0b82d1bb9f26e45a881987f901d1b14f806ccd1f411dc2e75acdd72be

memory/376-432-0x00007FFB12620000-0x00007FFB130E1000-memory.dmp

memory/376-433-0x000000001B5A0000-0x000000001B5B0000-memory.dmp

memory/3092-434-0x00007FFB12620000-0x00007FFB130E1000-memory.dmp

memory/2988-435-0x0000000002980000-0x0000000002990000-memory.dmp

memory/2988-436-0x00007FFB12620000-0x00007FFB130E1000-memory.dmp

memory/376-437-0x00007FFB12620000-0x00007FFB130E1000-memory.dmp

memory/2988-439-0x00007FFB12620000-0x00007FFB130E1000-memory.dmp

memory/3092-441-0x00007FFB12620000-0x00007FFB130E1000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 5ad0ab3cf0f7dda6ca4e3f90bcb19154
SHA1 67eaa1b3e9bfe098fd3b4173398c14f52b86cee5
SHA256 f143ff02e7e0bdb1f81e2f86869e0eceddcb01f7c81116a8dc8d53867cfaa6d7
SHA512 668654b4a308a0b517e666e5e0c64ad9e814e27c6dd144b7f480b312b05328147672d150048be84d7b585065c501285bcc57a951aa36d151fb94848f8fd14afb

memory/4032-451-0x00007FFB12620000-0x00007FFB130E1000-memory.dmp

memory/4032-452-0x0000000002380000-0x0000000002390000-memory.dmp

memory/1788-453-0x00007FFB12620000-0x00007FFB130E1000-memory.dmp

memory/4032-454-0x00007FFB12620000-0x00007FFB130E1000-memory.dmp

memory/1788-456-0x00007FFB12620000-0x00007FFB130E1000-memory.dmp

memory/640-457-0x00007FFB12620000-0x00007FFB130E1000-memory.dmp

memory/4400-458-0x00007FFB12620000-0x00007FFB130E1000-memory.dmp

memory/4400-459-0x000000001B030000-0x000000001B040000-memory.dmp

memory/3592-460-0x00007FFB12620000-0x00007FFB130E1000-memory.dmp

memory/4384-461-0x00007FFB12620000-0x00007FFB130E1000-memory.dmp

memory/640-462-0x000000001BCE0000-0x000000001BCF0000-memory.dmp

memory/3592-463-0x0000000001600000-0x0000000001610000-memory.dmp

memory/460-464-0x00007FFB12620000-0x00007FFB130E1000-memory.dmp

memory/4400-465-0x00007FFB12620000-0x00007FFB130E1000-memory.dmp

memory/4384-467-0x00007FFB12620000-0x00007FFB130E1000-memory.dmp

memory/640-468-0x00007FFB12620000-0x00007FFB130E1000-memory.dmp

memory/3592-469-0x00007FFB12620000-0x00007FFB130E1000-memory.dmp

memory/460-471-0x00007FFB12620000-0x00007FFB130E1000-memory.dmp

memory/3780-479-0x0000000000BF0000-0x0000000000BF8000-memory.dmp

memory/1328-481-0x00007FFB12620000-0x00007FFB130E1000-memory.dmp

memory/2912-482-0x00007FFB12620000-0x00007FFB130E1000-memory.dmp

memory/2912-483-0x000000001B3A0000-0x000000001B3B0000-memory.dmp

memory/4812-484-0x0000000002A00000-0x0000000002A10000-memory.dmp

memory/4812-485-0x00007FFB12620000-0x00007FFB130E1000-memory.dmp

memory/3780-486-0x000000001B1F0000-0x000000001B200000-memory.dmp

memory/3780-487-0x000000001B1F0000-0x000000001B200000-memory.dmp

memory/1328-489-0x00007FFB12620000-0x00007FFB130E1000-memory.dmp

memory/2912-491-0x00007FFB12620000-0x00007FFB130E1000-memory.dmp

memory/4812-493-0x00007FFB12620000-0x00007FFB130E1000-memory.dmp

memory/3780-494-0x00007FFB12620000-0x00007FFB130E1000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 d5e535e98350bc9b20b09f97ef91564d
SHA1 0406e87bcf4650599496a11286874a5197e47014
SHA256 2d6a58669e655683d6ada04fabf0f9370a55e685956bd90f5361db69db618400
SHA512 91f091554a0437d5c2c0124dca2990aebacfe664bda149d77adff32ed87c56b1a0a5f28dc462c334b290264ddfb52205923175ce96e01e53a0be5ed28c4277e9

memory/2988-504-0x00007FFB12640000-0x00007FFB13101000-memory.dmp

memory/2988-505-0x00000000023B0000-0x00000000023C0000-memory.dmp

memory/2988-506-0x00007FFB12640000-0x00007FFB13101000-memory.dmp