Analysis Overview
SHA256
c248d6ee2cf5cd6ca386c7a358abdd8ec408c6a63f998f22cbf896809568d90f
Threat Level: Known bad
The file SLOVOPACANA.exe was found to be: Known bad.
Malicious Activity Summary
Process spawned unexpected child process
DcRat
DCRat payload
Dcrat family
DCRat payload
Executes dropped EXE
Checks computer location settings
Drops file in Program Files directory
Drops file in Windows directory
Unsigned PE
Enumerates physical storage devices
Modifies registry class
Modifies registry key
Suspicious use of SetWindowsHookEx
Suspicious use of FindShellTrayWindow
Modifies data under HKEY_USERS
Suspicious use of SendNotifyMessage
Uses Task Scheduler COM API
Enumerates system info in registry
Suspicious behavior: GetForegroundWindowSpam
Kills process with taskkill
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-06 14:13
Signatures
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Dcrat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-06 14:13
Reported
2023-12-06 14:30
Platform
win10v2004-20231127-en
Max time kernel
995s
Max time network
1001s
Command Line
Signatures
DcRat
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\SLOVOPACANA.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000\Control Panel\International\Geo\Nation | C:\ComAgentSession\blockbroker.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000\Control Panel\International\Geo\Nation | C:\Windows\Downloaded Program Files\winlogon.exe | N/A |
Executes dropped EXE
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Windows Photo Viewer\ja-JP\dllhost.exe | C:\ComAgentSession\blockbroker.exe | N/A |
| File created | C:\Program Files (x86)\Windows Photo Viewer\ja-JP\5940a34987c991 | C:\ComAgentSession\blockbroker.exe | N/A |
| File created | C:\Program Files\Windows Security\sppsvc.exe | C:\ComAgentSession\blockbroker.exe | N/A |
| File created | C:\Program Files\Windows Security\0a1fd5f707cd16 | C:\ComAgentSession\blockbroker.exe | N/A |
| File created | C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\OfficeClickToRun.exe | C:\ComAgentSession\blockbroker.exe | N/A |
| File created | C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\e6c9b481da804f | C:\ComAgentSession\blockbroker.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft.NET\RedistList\TextInputHost.exe | C:\ComAgentSession\blockbroker.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft.NET\RedistList\22eafd247d37c3 | C:\ComAgentSession\blockbroker.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Offline Web Pages\66fc9ff0ee96c2 | C:\ComAgentSession\blockbroker.exe | N/A |
| File created | C:\Windows\DiagTrack\Settings\55b276f4edf653 | C:\ComAgentSession\blockbroker.exe | N/A |
| File created | C:\Windows\PolicyDefinitions\it-IT\sppsvc.exe | C:\ComAgentSession\blockbroker.exe | N/A |
| File created | C:\Windows\Downloaded Program Files\cc11b995f2a76d | C:\ComAgentSession\blockbroker.exe | N/A |
| File created | C:\Windows\Fonts\sppsvc.exe | C:\ComAgentSession\blockbroker.exe | N/A |
| File created | C:\Windows\Offline Web Pages\sihost.exe | C:\ComAgentSession\blockbroker.exe | N/A |
| File created | C:\Windows\DiagTrack\Settings\StartMenuExperienceHost.exe | C:\ComAgentSession\blockbroker.exe | N/A |
| File created | C:\Windows\PolicyDefinitions\it-IT\0a1fd5f707cd16 | C:\ComAgentSession\blockbroker.exe | N/A |
| File created | C:\Windows\Downloaded Program Files\winlogon.exe | C:\ComAgentSession\blockbroker.exe | N/A |
| File created | C:\Windows\Fonts\0a1fd5f707cd16 | C:\ComAgentSession\blockbroker.exe | N/A |
| File opened for modification | C:\Windows\Debug\WIA\wiatrace.log | C:\Windows\system32\mspaint.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133463460008644647" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14" | C:\Windows\system32\mspaint.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" | C:\Windows\system32\mspaint.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" | C:\Windows\system32\mspaint.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots | C:\Windows\system32\mspaint.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ | C:\Windows\system32\mspaint.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "2" | C:\Windows\system32\mspaint.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 | C:\Windows\system32\mspaint.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295" | C:\Windows\system32\mspaint.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1" | C:\Windows\system32\mspaint.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" | C:\Windows\system32\mspaint.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 | C:\Windows\system32\mspaint.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 = 3a002e803accbfb42cdb4c42b0297fe99a87c641260001002600efbe11000000a1e16d385721da01a34005c96221da011410ef744f28da0114000000 | C:\Windows\system32\mspaint.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" | C:\Windows\system32\mspaint.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 3a002e8005398e082303024b98265d99428e115f260001002600efbe11000000a1e16d385721da01bbaf67cf6221da01bbaf67cf6221da0114000000 | C:\Windows\system32\mspaint.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202 | C:\Windows\system32\mspaint.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" | C:\Windows\system32\mspaint.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257" | C:\Windows\system32\mspaint.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 | C:\Windows\system32\mspaint.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4" | C:\Windows\system32\mspaint.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 | C:\Windows\system32\mspaint.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" | C:\Windows\system32\mspaint.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}" | C:\Windows\system32\mspaint.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\NodeSlot = "3" | C:\Windows\system32\mspaint.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" | C:\Windows\system32\mspaint.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff | C:\Windows\system32\mspaint.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2 | C:\Windows\system32\mspaint.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}" | C:\Windows\system32\mspaint.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1" | C:\Windows\system32\mspaint.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings | C:\Windows\system32\mspaint.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295" | C:\Windows\system32\mspaint.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" | C:\Windows\system32\mspaint.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff | C:\Windows\system32\mspaint.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\NodeSlot = "2" | C:\Windows\system32\mspaint.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg | C:\Windows\system32\mspaint.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell | C:\Windows\system32\mspaint.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags | C:\Windows\system32\mspaint.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} | C:\Windows\system32\mspaint.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{885A186E-A440-4ADA-812B-DB871B942259}" | C:\Windows\system32\mspaint.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} | C:\Windows\system32\mspaint.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" | C:\Windows\system32\mspaint.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Generic" | C:\Windows\system32\mspaint.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" | C:\Windows\system32\mspaint.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 | C:\Windows\system32\mspaint.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 | C:\Windows\system32\mspaint.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac04000000c8000000354b179bff40d211a27e00c04fc308710300000080000000354b179bff40d211a27e00c04fc308710200000080000000 | C:\Windows\system32\mspaint.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff | C:\Windows\system32\mspaint.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 | C:\Windows\system32\mspaint.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202 | C:\Windows\system32\mspaint.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell | C:\Windows\system32\mspaint.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" | C:\Windows\system32\mspaint.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff | C:\Windows\system32\mspaint.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 | C:\Windows\system32\mspaint.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "6" | C:\Windows\system32\mspaint.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" | C:\Windows\system32\mspaint.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1" | C:\Windows\system32\mspaint.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg | C:\Windows\system32\mspaint.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Downloads" | C:\Windows\system32\mspaint.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0100000000000000ffffffff | C:\Windows\system32\mspaint.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\SLOVOPACANA.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Windows\system32\mspaint.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ | C:\Windows\system32\mspaint.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg | C:\Windows\system32\mspaint.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListEx = ffffffff | C:\Windows\system32\mspaint.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff | C:\Windows\system32\mspaint.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Downloaded Program Files\winlogon.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\OfficeClickToRun.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\mspaint.exe | N/A |
| N/A | N/A | C:\Windows\system32\mspaint.exe | N/A |
| N/A | N/A | C:\Windows\system32\mspaint.exe | N/A |
| N/A | N/A | C:\Windows\system32\mspaint.exe | N/A |
| N/A | N/A | C:\Windows\system32\mspaint.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\SLOVOPACANA.exe
"C:\Users\Admin\AppData\Local\Temp\SLOVOPACANA.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComAgentSession\J1Z3KeWJB1lM.vbe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ComAgentSession\FU70pek1lKzqNpW.bat" "
C:\ComAgentSession\blockbroker.exe
"C:\ComAgentSession\blockbroker.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Security\sppsvc.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Windows Security\sppsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Security\sppsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\Windows\Offline Web Pages\sihost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Windows\Offline Web Pages\sihost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 8 /tr "'C:\Windows\Offline Web Pages\sihost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Users\Public\AccountPictures\sppsvc.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Public\AccountPictures\sppsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Users\Public\AccountPictures\sppsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\Windows\DiagTrack\Settings\StartMenuExperienceHost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Windows\DiagTrack\Settings\StartMenuExperienceHost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\Windows\DiagTrack\Settings\StartMenuExperienceHost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Windows\PolicyDefinitions\it-IT\sppsvc.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\PolicyDefinitions\it-IT\sppsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Windows\PolicyDefinitions\it-IT\sppsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\OfficeClickToRun.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\OfficeClickToRun.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\OfficeClickToRun.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Windows\Downloaded Program Files\winlogon.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\Downloaded Program Files\winlogon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Windows\Downloaded Program Files\winlogon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\TrustedInstaller.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TrustedInstaller" /sc ONLOGON /tr "'C:\Users\Default User\TrustedInstaller.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\TrustedInstaller.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\TextInputHost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\TextInputHost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\TextInputHost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Windows\Fonts\sppsvc.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\Fonts\sppsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Windows\Fonts\sppsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 6 /tr "'C:\odt\SearchApp.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\odt\SearchApp.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 6 /tr "'C:\odt\SearchApp.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "blockbrokerb" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\blockbroker.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "blockbroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\blockbroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "blockbrokerb" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\blockbroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\dllhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\dllhost.exe'" /rl HIGHEST /f
C:\Windows\Downloaded Program Files\winlogon.exe
"C:\Windows\Downloaded Program Files\winlogon.exe"
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\\3gUlVaPHfz.bat"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\owd0vlhs\owd0vlhs.cmdline"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD994.tmp" "c:\Users\Admin\AppData\Local\Temp\owd0vlhs\CSC9EB42EC220444172B7EAC49DE9996981.TMP"
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\OfficeClickToRun.exe
"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\OfficeClickToRun.exe"
C:\odt\SearchApp.exe
C:\odt\SearchApp.exe
C:\Windows\DiagTrack\Settings\StartMenuExperienceHost.exe
C:\Windows\DiagTrack\Settings\StartMenuExperienceHost.exe
C:\Program Files (x86)\Microsoft.NET\RedistList\TextInputHost.exe
"C:\Program Files (x86)\Microsoft.NET\RedistList\TextInputHost.exe"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wl1t251s\wl1t251s.cmdline"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffb132c9758,0x7ffb132c9768,0x7ffb132c9778
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1736 --field-trial-handle=1820,i,3329001855101908166,9547700532015157804,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2224 --field-trial-handle=1820,i,3329001855101908166,9547700532015157804,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 --field-trial-handle=1820,i,3329001855101908166,9547700532015157804,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3144 --field-trial-handle=1820,i,3329001855101908166,9547700532015157804,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3136 --field-trial-handle=1820,i,3329001855101908166,9547700532015157804,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4672 --field-trial-handle=1820,i,3329001855101908166,9547700532015157804,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3808 --field-trial-handle=1820,i,3329001855101908166,9547700532015157804,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4996 --field-trial-handle=1820,i,3329001855101908166,9547700532015157804,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5028 --field-trial-handle=1820,i,3329001855101908166,9547700532015157804,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5284 --field-trial-handle=1820,i,3329001855101908166,9547700532015157804,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5060 --field-trial-handle=1820,i,3329001855101908166,9547700532015157804,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4856 --field-trial-handle=1820,i,3329001855101908166,9547700532015157804,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4856 --field-trial-handle=1820,i,3329001855101908166,9547700532015157804,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb132c9758,0x7ffb132c9768,0x7ffb132c9778
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2168 --field-trial-handle=2016,i,5877464910147344589,12209923414115929204,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2880 --field-trial-handle=2016,i,5877464910147344589,12209923414115929204,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2872 --field-trial-handle=2016,i,5877464910147344589,12209923414115929204,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1904 --field-trial-handle=2016,i,5877464910147344589,12209923414115929204,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1684 --field-trial-handle=2016,i,5877464910147344589,12209923414115929204,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4608 --field-trial-handle=2016,i,5877464910147344589,12209923414115929204,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4732 --field-trial-handle=2016,i,5877464910147344589,12209923414115929204,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4892 --field-trial-handle=2016,i,5877464910147344589,12209923414115929204,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4676 --field-trial-handle=2016,i,5877464910147344589,12209923414115929204,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4584 --field-trial-handle=2016,i,5877464910147344589,12209923414115929204,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4940 --field-trial-handle=2016,i,5877464910147344589,12209923414115929204,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5248 --field-trial-handle=2016,i,5877464910147344589,12209923414115929204,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4700 --field-trial-handle=2016,i,5877464910147344589,12209923414115929204,131072 /prefetch:8
C:\Windows\Offline Web Pages\sihost.exe
"C:\Windows\Offline Web Pages\sihost.exe"
C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
C:\Windows\system32\dashost.exe
dashost.exe {7a9b72e2-86d9-4028-8c086fd90d6660f6}
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1812 --field-trial-handle=2016,i,5877464910147344589,12209923414115929204,131072 /prefetch:2
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\OfficeClickToRun.exe
"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\OfficeClickToRun.exe"
C:\Recovery\WindowsRE\csrss.exe
C:\Recovery\WindowsRE\csrss.exe
C:\Program Files (x86)\Windows Photo Viewer\ja-JP\dllhost.exe
"C:\Program Files (x86)\Windows Photo Viewer\ja-JP\dllhost.exe"
C:\Recovery\WindowsRE\blockbroker.exe
C:\Recovery\WindowsRE\blockbroker.exe
C:\Users\Default User\TrustedInstaller.exe
"C:\Users\Default User\TrustedInstaller.exe"
C:\Windows\DiagTrack\Settings\StartMenuExperienceHost.exe
C:\Windows\DiagTrack\Settings\StartMenuExperienceHost.exe
C:\odt\SearchApp.exe
C:\odt\SearchApp.exe
C:\Program Files (x86)\Microsoft.NET\RedistList\TextInputHost.exe
"C:\Program Files (x86)\Microsoft.NET\RedistList\TextInputHost.exe"
C:\Recovery\WindowsRE\spoolsv.exe
C:\Recovery\WindowsRE\spoolsv.exe
C:\Recovery\WindowsRE\dwm.exe
C:\Recovery\WindowsRE\dwm.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ezapyabp\ezapyabp.cmdline"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1264.tmp" "c:\Users\Admin\AppData\Local\Temp\ezapyabp\CSC8743270E222B43319E1254467B67EFC.TMP"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem /v DisableTaskMgr /t REG_DWORD /d 1 /f & taskkill /f /im taskmgr.exe
C:\Windows\system32\reg.exe
reg add HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem /v DisableTaskMgr /t REG_DWORD /d 1 /f
C:\Windows\system32\taskkill.exe
taskkill /f /im taskmgr.exe
C:\Windows\Fonts\sppsvc.exe
C:\Windows\Fonts\sppsvc.exe
C:\Recovery\WindowsRE\sysmon.exe
C:\Recovery\WindowsRE\sysmon.exe
C:\Windows\Downloaded Program Files\winlogon.exe
"C:\Windows\Downloaded Program Files\winlogon.exe"
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\OfficeClickToRun.exe
"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\OfficeClickToRun.exe"
C:\Windows\Offline Web Pages\sihost.exe
"C:\Windows\Offline Web Pages\sihost.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.77.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 198.1.85.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 135.1.85.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | a0892776.xsph.ru | udp |
| RU | 141.8.192.6:80 | a0892776.xsph.ru | tcp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 6.192.8.141.in-addr.arpa | udp |
| RU | 141.8.192.6:80 | a0892776.xsph.ru | tcp |
| US | 8.8.8.8:53 | 192.240.110.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.77.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.36.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 201.194.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.194.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.143.182.52.in-addr.arpa | udp |
| RU | 141.8.192.6:80 | a0892776.xsph.ru | tcp |
| US | 8.8.8.8:53 | a0892776.xsph.ru | udp |
| RU | 141.8.192.6:80 | a0892776.xsph.ru | tcp |
| RU | 141.8.192.6:80 | a0892776.xsph.ru | tcp |
| US | 8.8.8.8:53 | cxcs.microsoft.net | udp |
| NL | 23.206.86.216:443 | cxcs.microsoft.net | tcp |
| NL | 88.221.24.24:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 24.24.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 216.86.206.23.in-addr.arpa | udp |
| RU | 141.8.192.6:80 | a0892776.xsph.ru | tcp |
| US | 8.8.8.8:53 | www.google.com | udp |
| NL | 172.217.168.196:443 | www.google.com | udp |
| US | 8.8.8.8:53 | 195.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 106.39.251.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.168.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | apis.google.com | udp |
| US | 108.177.96.100:443 | apis.google.com | udp |
| US | 8.8.8.8:53 | 100.96.177.108.in-addr.arpa | udp |
| US | 8.8.8.8:53 | clients2.google.com | udp |
| NL | 108.177.127.100:443 | clients2.google.com | udp |
| US | 8.8.8.8:53 | 100.127.177.108.in-addr.arpa | udp |
| NL | 108.177.127.100:443 | clients2.google.com | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| NL | 172.217.168.196:443 | www.google.com | udp |
| NL | 172.217.168.196:443 | www.google.com | tcp |
| NL | 108.177.127.100:443 | clients2.google.com | udp |
| NL | 108.177.127.100:443 | clients2.google.com | tcp |
| US | 8.8.8.8:53 | 183.2.85.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.171.91.138.in-addr.arpa | udp |
| US | 8.8.8.8:53 | c.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.f.f.ip6.arpa | udp |
| US | 8.8.8.8:53 | beacons.gcp.gvt2.com | udp |
| NL | 216.58.214.3:443 | beacons.gcp.gvt2.com | tcp |
| US | 8.8.8.8:53 | e2c29.gcp.gvt2.com | udp |
| US | 34.106.86.104:443 | e2c29.gcp.gvt2.com | tcp |
| US | 8.8.8.8:53 | 3.214.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.86.106.34.in-addr.arpa | udp |
| RU | 141.8.192.6:80 | a0892776.xsph.ru | tcp |
| NL | 216.58.214.3:443 | beacons.gcp.gvt2.com | udp |
| RU | 141.8.192.6:80 | a0892776.xsph.ru | tcp |
| RU | 141.8.192.6:80 | a0892776.xsph.ru | tcp |
| RU | 141.8.192.6:80 | a0892776.xsph.ru | tcp |
| RU | 141.8.192.6:80 | a0892776.xsph.ru | tcp |
Files
C:\ComAgentSession\J1Z3KeWJB1lM.vbe
| MD5 | f83a0a294a0f7c5ec97371c705cbfec9 |
| SHA1 | 4cf78ab1616432c1f8c714f122a79350af8a53f5 |
| SHA256 | 5a23f943e2e3054bbfad3f9b71c5c03498c78a510a758511bfca0f34f287724f |
| SHA512 | 9e127673927c5a69d1ab4022046c57135f961ed1ce1b8974a47550d1555b43762008a7b6ce3ba220ab917cb2466703dddda3add1ca784b4c8d5b5d0cdfb1c620 |
C:\ComAgentSession\FU70pek1lKzqNpW.bat
| MD5 | db5bc92a508253027eeb8b1703425243 |
| SHA1 | f17f65ab6ee1d0d59092eecd0c9c89288adbb355 |
| SHA256 | 6a48edfa769d6420962994aa84e6b261734fd289860251c12eff0d6b9994e153 |
| SHA512 | 5637eab1c2f15f80b7a62694a27d0cd2649c183625119b3bd0cfcc42d49c9693b5708b098f18d0084509079601f1893f09079d7580d3b01d74fa9095101e4521 |
C:\ComAgentSession\blockbroker.exe
| MD5 | 2f055355f956c24ffc2276a84e1f24b5 |
| SHA1 | e8c6619057c583077b0f171280212c548f54d263 |
| SHA256 | 0ce4d853accc7935de440653d0d593d3e0bed2782044d46cae0ac1849bb60553 |
| SHA512 | f813326257f0ff83208b69abd93e6034fc2393e1ee84ff717cdd0a4c698daa9fe8b9f0314d7aefa3732b487fe2ad80d00e3e7425d5638bc2cfd02c3e481146e1 |
C:\ComAgentSession\blockbroker.exe
| MD5 | 2f055355f956c24ffc2276a84e1f24b5 |
| SHA1 | e8c6619057c583077b0f171280212c548f54d263 |
| SHA256 | 0ce4d853accc7935de440653d0d593d3e0bed2782044d46cae0ac1849bb60553 |
| SHA512 | f813326257f0ff83208b69abd93e6034fc2393e1ee84ff717cdd0a4c698daa9fe8b9f0314d7aefa3732b487fe2ad80d00e3e7425d5638bc2cfd02c3e481146e1 |
memory/1796-12-0x0000000000110000-0x00000000001E6000-memory.dmp
memory/1796-13-0x00007FFB12620000-0x00007FFB130E1000-memory.dmp
memory/1796-14-0x00000000009D0000-0x00000000009E0000-memory.dmp
C:\Program Files\Windows Security\sppsvc.exe
| MD5 | 2f055355f956c24ffc2276a84e1f24b5 |
| SHA1 | e8c6619057c583077b0f171280212c548f54d263 |
| SHA256 | 0ce4d853accc7935de440653d0d593d3e0bed2782044d46cae0ac1849bb60553 |
| SHA512 | f813326257f0ff83208b69abd93e6034fc2393e1ee84ff717cdd0a4c698daa9fe8b9f0314d7aefa3732b487fe2ad80d00e3e7425d5638bc2cfd02c3e481146e1 |
C:\Windows\Downloaded Program Files\winlogon.exe
| MD5 | 2f055355f956c24ffc2276a84e1f24b5 |
| SHA1 | e8c6619057c583077b0f171280212c548f54d263 |
| SHA256 | 0ce4d853accc7935de440653d0d593d3e0bed2782044d46cae0ac1849bb60553 |
| SHA512 | f813326257f0ff83208b69abd93e6034fc2393e1ee84ff717cdd0a4c698daa9fe8b9f0314d7aefa3732b487fe2ad80d00e3e7425d5638bc2cfd02c3e481146e1 |
C:\Windows\Downloaded Program Files\winlogon.exe
| MD5 | 2f055355f956c24ffc2276a84e1f24b5 |
| SHA1 | e8c6619057c583077b0f171280212c548f54d263 |
| SHA256 | 0ce4d853accc7935de440653d0d593d3e0bed2782044d46cae0ac1849bb60553 |
| SHA512 | f813326257f0ff83208b69abd93e6034fc2393e1ee84ff717cdd0a4c698daa9fe8b9f0314d7aefa3732b487fe2ad80d00e3e7425d5638bc2cfd02c3e481146e1 |
memory/3780-65-0x00007FFB12620000-0x00007FFB130E1000-memory.dmp
memory/1796-64-0x00007FFB12620000-0x00007FFB130E1000-memory.dmp
memory/3780-66-0x000000001B1F0000-0x000000001B200000-memory.dmp
memory/3780-67-0x00007FFB12620000-0x00007FFB130E1000-memory.dmp
memory/512-68-0x0000025C72440000-0x0000025C72450000-memory.dmp
memory/512-84-0x0000025C72540000-0x0000025C72550000-memory.dmp
memory/512-100-0x0000025C7A820000-0x0000025C7A821000-memory.dmp
memory/512-102-0x0000025C7A850000-0x0000025C7A851000-memory.dmp
memory/512-103-0x0000025C7A850000-0x0000025C7A851000-memory.dmp
memory/512-104-0x0000025C7A960000-0x0000025C7A961000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\3gUlVaPHfz.bat
| MD5 | 3df5329028ec13c367e1283a462b0dab |
| SHA1 | 4294d5cb78c980c90cf4da0a540943d931aed884 |
| SHA256 | 945cbff2edfc91f9dc83d777f498d9168e3ff0b9495ca91c97abaf85e226a85c |
| SHA512 | b7a8f8117d82737ea9506285f4524ca2053bfbe7f24009b2036ebdc8ab6b4b99d9181889a318a3c284c4310be5b39fdbda9cd312bf2a02459d3b90acc06a6f49 |
\??\c:\Users\Admin\AppData\Local\Temp\owd0vlhs\owd0vlhs.cmdline
| MD5 | a6743587a682bc9723b2f65c041be508 |
| SHA1 | 68d08bb35141c5b7be1796fe373c294bd156b665 |
| SHA256 | d7292c7d79337214d67a68961cc174fc321b6f30484a64eec270d8204bcce874 |
| SHA512 | 97bcb92168c3afc01cf77ef44267bdc28e8f23cb0706794c8f6955a7cc64ddc4eedeb9f8bcbd56a085f1d40de94b904103e949365f4c429b1e5f2bb06d83f15b |
\??\c:\Users\Admin\AppData\Local\Temp\owd0vlhs\owd0vlhs.0.cs
| MD5 | ee98b18b7a7a0cb24a9564ee3b770530 |
| SHA1 | a9d5245c3a1835eae87d8e98faf1dfbd33e2a633 |
| SHA256 | 3a72cbbb3032641f66650d753f9dd4c61659fc9e0e1f94bf7fce8b41a5ce767a |
| SHA512 | 39f2a571431d73eb627094afac4ccbdde7acef284c623e21ef7c7e1d6d12f4d897610479c9eaec206472d8ff9c03232c6385895a8cd1766e44f733bb5f7f9037 |
\??\c:\Users\Admin\AppData\Local\Temp\owd0vlhs\CSC9EB42EC220444172B7EAC49DE9996981.TMP
| MD5 | 3ed69fcf43025df50e7ff3fa77a8dd97 |
| SHA1 | 0bc73e7407ae4e7743f84bf0e285413a53000548 |
| SHA256 | 0466286ef439f17314d6ad63c99f2d217c2c67cc40052b0a15347702936d0f49 |
| SHA512 | 452ce93216b6d5e95d095623fd2e2c113b3bd91b49904346c7367550cac28969953b2f256d8e6d70fda6ccac1944c9f8d35c43a449b00d7b46f33c21e7f1c4b2 |
C:\Users\Admin\AppData\Local\Temp\RESD994.tmp
| MD5 | d0faded3acf408ebb97a11c352c760ef |
| SHA1 | 598ea636de9569e4aba34bdaba0a4b8f7ec9d7bc |
| SHA256 | da8cb33f5a58c362620386d472bcd555da42dd58f28afa453f3e358fdc9a5cd0 |
| SHA512 | 2352bce292715ea07487f060ffe13696a754ede18353366c5f69441561c80271992afe47a16faf9cc1fb49c25eae7ce5a845fa7a04559253209958fe0a2ac98a |
C:\Users\Admin\AppData\Local\Temp\owd0vlhs\owd0vlhs.dll
| MD5 | a33e031116fc91cd8f03aa3850e395a0 |
| SHA1 | 1e4466087f9acd00dbd7987572e6d77893e34296 |
| SHA256 | 63da7180b93899c5c144f865f239d3a51812055620e7a204be6534661f5de073 |
| SHA512 | 5955c5f6f73e23a637a139b4530ebb2b47f9bddb78db7f7b78eadf507342a35c34625f244ba08d03eb8dd35fe7cd9da9e81d72a9635a6de78e768f8bae33a1e8 |
memory/3780-122-0x0000000000BC0000-0x0000000000BC8000-memory.dmp
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\OfficeClickToRun.exe
| MD5 | 2f055355f956c24ffc2276a84e1f24b5 |
| SHA1 | e8c6619057c583077b0f171280212c548f54d263 |
| SHA256 | 0ce4d853accc7935de440653d0d593d3e0bed2782044d46cae0ac1849bb60553 |
| SHA512 | f813326257f0ff83208b69abd93e6034fc2393e1ee84ff717cdd0a4c698daa9fe8b9f0314d7aefa3732b487fe2ad80d00e3e7425d5638bc2cfd02c3e481146e1 |
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\OfficeClickToRun.exe
| MD5 | 2f055355f956c24ffc2276a84e1f24b5 |
| SHA1 | e8c6619057c583077b0f171280212c548f54d263 |
| SHA256 | 0ce4d853accc7935de440653d0d593d3e0bed2782044d46cae0ac1849bb60553 |
| SHA512 | f813326257f0ff83208b69abd93e6034fc2393e1ee84ff717cdd0a4c698daa9fe8b9f0314d7aefa3732b487fe2ad80d00e3e7425d5638bc2cfd02c3e481146e1 |
memory/744-126-0x00007FFB12620000-0x00007FFB130E1000-memory.dmp
memory/744-127-0x000000001B660000-0x000000001B670000-memory.dmp
memory/744-129-0x00007FFB12620000-0x00007FFB130E1000-memory.dmp
C:\Windows\DiagTrack\Settings\StartMenuExperienceHost.exe
| MD5 | 2f055355f956c24ffc2276a84e1f24b5 |
| SHA1 | e8c6619057c583077b0f171280212c548f54d263 |
| SHA256 | 0ce4d853accc7935de440653d0d593d3e0bed2782044d46cae0ac1849bb60553 |
| SHA512 | f813326257f0ff83208b69abd93e6034fc2393e1ee84ff717cdd0a4c698daa9fe8b9f0314d7aefa3732b487fe2ad80d00e3e7425d5638bc2cfd02c3e481146e1 |
C:\Windows\DiagTrack\Settings\StartMenuExperienceHost.exe
| MD5 | 2f055355f956c24ffc2276a84e1f24b5 |
| SHA1 | e8c6619057c583077b0f171280212c548f54d263 |
| SHA256 | 0ce4d853accc7935de440653d0d593d3e0bed2782044d46cae0ac1849bb60553 |
| SHA512 | f813326257f0ff83208b69abd93e6034fc2393e1ee84ff717cdd0a4c698daa9fe8b9f0314d7aefa3732b487fe2ad80d00e3e7425d5638bc2cfd02c3e481146e1 |
C:\odt\SearchApp.exe
| MD5 | 2f055355f956c24ffc2276a84e1f24b5 |
| SHA1 | e8c6619057c583077b0f171280212c548f54d263 |
| SHA256 | 0ce4d853accc7935de440653d0d593d3e0bed2782044d46cae0ac1849bb60553 |
| SHA512 | f813326257f0ff83208b69abd93e6034fc2393e1ee84ff717cdd0a4c698daa9fe8b9f0314d7aefa3732b487fe2ad80d00e3e7425d5638bc2cfd02c3e481146e1 |
C:\odt\SearchApp.exe
| MD5 | 2f055355f956c24ffc2276a84e1f24b5 |
| SHA1 | e8c6619057c583077b0f171280212c548f54d263 |
| SHA256 | 0ce4d853accc7935de440653d0d593d3e0bed2782044d46cae0ac1849bb60553 |
| SHA512 | f813326257f0ff83208b69abd93e6034fc2393e1ee84ff717cdd0a4c698daa9fe8b9f0314d7aefa3732b487fe2ad80d00e3e7425d5638bc2cfd02c3e481146e1 |
memory/2844-134-0x00007FFB12620000-0x00007FFB130E1000-memory.dmp
memory/2844-135-0x000000001B7B0000-0x000000001B7C0000-memory.dmp
memory/1244-136-0x000000001B330000-0x000000001B340000-memory.dmp
memory/1244-137-0x00007FFB12620000-0x00007FFB130E1000-memory.dmp
C:\Program Files (x86)\Microsoft.NET\RedistList\TextInputHost.exe
| MD5 | 2f055355f956c24ffc2276a84e1f24b5 |
| SHA1 | e8c6619057c583077b0f171280212c548f54d263 |
| SHA256 | 0ce4d853accc7935de440653d0d593d3e0bed2782044d46cae0ac1849bb60553 |
| SHA512 | f813326257f0ff83208b69abd93e6034fc2393e1ee84ff717cdd0a4c698daa9fe8b9f0314d7aefa3732b487fe2ad80d00e3e7425d5638bc2cfd02c3e481146e1 |
C:\Program Files (x86)\Microsoft.NET\RedistList\TextInputHost.exe
| MD5 | 2f055355f956c24ffc2276a84e1f24b5 |
| SHA1 | e8c6619057c583077b0f171280212c548f54d263 |
| SHA256 | 0ce4d853accc7935de440653d0d593d3e0bed2782044d46cae0ac1849bb60553 |
| SHA512 | f813326257f0ff83208b69abd93e6034fc2393e1ee84ff717cdd0a4c698daa9fe8b9f0314d7aefa3732b487fe2ad80d00e3e7425d5638bc2cfd02c3e481146e1 |
memory/788-140-0x00007FFB12620000-0x00007FFB130E1000-memory.dmp
memory/788-141-0x000000001B340000-0x000000001B350000-memory.dmp
memory/1244-144-0x00007FFB12620000-0x00007FFB130E1000-memory.dmp
memory/2844-145-0x00007FFB12620000-0x00007FFB130E1000-memory.dmp
memory/788-147-0x00007FFB12620000-0x00007FFB130E1000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\wl1t251s\wl1t251s.cmdline
| MD5 | 3c7cf5932df62f9cace43369e69c9cc2 |
| SHA1 | 6b81ff39623ffa65e4a8f0db83556bd0815a837f |
| SHA256 | 77746c97acd6d4928c571eea76a10e80fe9c93cf615e3b49cbfe4bdd78d9931b |
| SHA512 | 99f0c1908d29481730c783b4a12002573719c6df5de5a84909896ac0e301a4ba3c2080a10fc3ed772d3c0b193162b5f18eb18fe91f33d45f29a4773a4ebfe478 |
\??\c:\Users\Admin\AppData\Local\Temp\wl1t251s\wl1t251s.0.cs
| MD5 | d4066cc7fa7bb70669af47eac69f3ef0 |
| SHA1 | 642d369cc12b4f33ba97b608df5e511640c1ee96 |
| SHA256 | cb8e3091cc67c7a0dd5aad57baae2f8b7fb33a83dd7f8a65a39cf44a67684999 |
| SHA512 | d9d2574ec5a1bb4b871a461495bcb803ddef0f16c72c3532c4cde1b05dd56c0f93f32b3d0f84e0df75dff010d4e080637982a6570e00fc4bd3e68077049086eb |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
| MD5 | 99914b932bd37a50b983c5e7c90ae93b |
| SHA1 | bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f |
| SHA256 | 44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a |
| SHA512 | 27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 223954b6b921b05bf59b57f3db55c370 |
| SHA1 | d5213e96c5f6c8cf104eed7ce56c50d22e84519e |
| SHA256 | f518330912fbb405e648111e511c48b73c375b911a322be9f8498727d8a45cef |
| SHA512 | 0421e9076193112fa0a5c17591eb1bc8174048f97de37be8601e782add7ad326c541fbe95f65b9b09967e7d946377f9f276cacdb2c90f356ded9dbb58134686a |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | e0fca882f352b1f9152d986cc304d217 |
| SHA1 | faa3bececc3486288643cc12b1a25920a42f3749 |
| SHA256 | 036cd8dbf47cfe76e985ae3054692155f9beab812b81a2b8c71f91764edb6cd7 |
| SHA512 | 0cacd787d3d579a7ba778b744fdd032bf10d04fa11c9c67c0975ad9cf7e7865f48415dd4a2bc5eeda2a1b6a6d6ec8c36e78c9777cecc3d852d42422278928438 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 7df9378cd068117811256fbd614f1cca |
| SHA1 | f970084108e2b2020b73f8bb4b53f235a3f20149 |
| SHA256 | 7135e9def2674879e71527bd66db955711abef935673bdbde08cdad398bef493 |
| SHA512 | f8cad8b16e908cb7541ebd2fc23d3eae4fe79f88bb5c334a85c244a330abad0f7f785824a4540ee8487f6cc96249f0058b2dc442b55a7f941312216306ee1729 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 0c7058e843c3cf4b0f485b9f526db6d0 |
| SHA1 | fc8779e60131c2c8bdcf212e85f531083e3debfc |
| SHA256 | 63c2ff80e29363b8d3647bbbed66932346620c9c98b79120f8156c194cd5080e |
| SHA512 | 77db9c3f702e287c3686b68ee1eefd7d0c00465ec88cf7b47ae1d4e9e82d67840f80fbab20d2892a46096fb8a2ebe04f6a2ed5f24dbc2f65401d5fc23ce64822 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
| MD5 | 2a1a540b49c7b8cc78b580848772ca36 |
| SHA1 | 0befd7cce06f97f3b62dd7b75f331aa3240b990f |
| SHA256 | 9f7fd5be2ed08f1955745758422d7e3cc8f5c249de32d3932c58093560892921 |
| SHA512 | bf0dc17dd0bcdc2cae7827989c8f98b62962e4002f4e93e8f8161173d27089a21afd7d4a102d432a7b19bbdaa7864abee6988dcc590176d7e7a393c2e419005c |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 0134421278bd8196c677004e39af44d1 |
| SHA1 | 4c225a95b716ad79b2cf28c09e11b7592a46eb41 |
| SHA256 | 84d732f79aa2d96d704a697f394b1b9fce6917ffab648423e26269d69424c3a8 |
| SHA512 | 8248eab16c4f35469ee6dbb7fad0dfd7c9e2f4a6ccaf6be040f6d34952942c6d9b6f1b3c28c1dcf1d04b77a285eec0c8e507c78e352239bb988f5c6c4210a262 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
| MD5 | 6e5a0fb5efdcc035796b1e6e203bbbc1 |
| SHA1 | fee75b4967e6cfd4f06c36270f273f167a05b047 |
| SHA256 | 76afc4a4e96879c25debe396e33347191b89b953a3ef9c6e01c97440cca96d99 |
| SHA512 | 9c84371aa89ef3aaadcd45f8095ad79f84d7135bf1f83009bf85fd3377f3c33a65873abb1202b3e6e45e5c757efd5a46b7a71d16e5ef4a29cb512865892760c8 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1
| MD5 | f50f89a0a91564d0b8a211f8921aa7de |
| SHA1 | 112403a17dd69d5b9018b8cede023cb3b54eab7d |
| SHA256 | b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec |
| SHA512 | bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
| MD5 | 66a053d6739fe940ec8c86d7d7edf5ca |
| SHA1 | 7bca498903f551bd30fadaff9aea89f69be58890 |
| SHA256 | 34f812910e594035498af16fd84f5da4e2380f7ad86f77ba2b4aa8942550ccd1 |
| SHA512 | e15d98456693fe4cafebbbe5a0a60259b9b44e086269efcd375366e6a043d20c7c585a4f550720fe96548a535df1a606a7d606bf2c0c12b8a1eaecfef40ef740 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
| MD5 | 66a053d6739fe940ec8c86d7d7edf5ca |
| SHA1 | 7bca498903f551bd30fadaff9aea89f69be58890 |
| SHA256 | 34f812910e594035498af16fd84f5da4e2380f7ad86f77ba2b4aa8942550ccd1 |
| SHA512 | e15d98456693fe4cafebbbe5a0a60259b9b44e086269efcd375366e6a043d20c7c585a4f550720fe96548a535df1a606a7d606bf2c0c12b8a1eaecfef40ef740 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 0c7058e843c3cf4b0f485b9f526db6d0 |
| SHA1 | fc8779e60131c2c8bdcf212e85f531083e3debfc |
| SHA256 | 63c2ff80e29363b8d3647bbbed66932346620c9c98b79120f8156c194cd5080e |
| SHA512 | 77db9c3f702e287c3686b68ee1eefd7d0c00465ec88cf7b47ae1d4e9e82d67840f80fbab20d2892a46096fb8a2ebe04f6a2ed5f24dbc2f65401d5fc23ce64822 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Variations
| MD5 | bc6142469cd7dadf107be9ad87ea4753 |
| SHA1 | 72a9aa05003fab742b0e4dc4c5d9eda6b9f7565c |
| SHA256 | b26da4f8c7e283aa74386da0229d66af14a37986b8ca828e054fc932f68dd557 |
| SHA512 | 47d1a67a16f5dc6d50556c5296e65918f0a2fcad0e8cee5795b100fe8cd89eaf5e1fd67691e8a57af3677883a5d8f104723b1901d11845b286474c8ac56f6182 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_1
| MD5 | d980d17895283a0e1d8d8a256269d284 |
| SHA1 | 005260b0d7167a7444a7a38631d828b49f5292db |
| SHA256 | 5ef8424c5a73a9a074e2ad202f3f37fc7ee6d733b38a4695c168f1c09a5885f9 |
| SHA512 | 16adc23fe985cdafda6edf4cdd0d3263b2dd043397dfff018339a084cbefbba77f5b1ff271da486eccc88ba9f6ca06170770e3a9f085d25f2bb242c42da83e71 |
\??\pipe\crashpad_2924_YQCLSQGTYKHMNCMG
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1
| MD5 | f50f89a0a91564d0b8a211f8921aa7de |
| SHA1 | 112403a17dd69d5b9018b8cede023cb3b54eab7d |
| SHA256 | b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec |
| SHA512 | bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
| MD5 | 99914b932bd37a50b983c5e7c90ae93b |
| SHA1 | bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f |
| SHA256 | 44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a |
| SHA512 | 27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG
| MD5 | d118ac27f5c37c6511a9490ba6ac454e |
| SHA1 | ec400e0eb0a480a052f0bca2ec87d23e3f84c936 |
| SHA256 | 77e3ba641f04eb473d234d3bdba450ac0a2559a6dd5dcc02399e69625fe07365 |
| SHA512 | e150e7e7a853ad68d27cac44026fb76a8d25aaeb47fcdf2e78ff9d5bcfe97629ee97fff7afa37e5799c70912d0d860abdcd88a406e23bea38bc3e9b61f28f0c2 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1
| MD5 | f50f89a0a91564d0b8a211f8921aa7de |
| SHA1 | 112403a17dd69d5b9018b8cede023cb3b54eab7d |
| SHA256 | b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec |
| SHA512 | bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000003.log
| MD5 | f98defe17a8e79ea97a0ea9e1f2fd717 |
| SHA1 | c09a3b2399f00f62915b97d5e8f04ffdbb9ff200 |
| SHA256 | 5474c5a6cbf3c417b8fa8202aeed419d12038b81449674aad6cb20781843a81d |
| SHA512 | 4bd52e7581c40b63e41df8d6521a3eb38ba8f1573ee193e4878a4af0f56db239b68e0faa1b0c31c8d7a9dfea8798be5649a42a604b0a25961e5a31caf3fb735e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG
| MD5 | 935f2136b75f27769ccc7e5cda60eb27 |
| SHA1 | 480047af7d8b544cb45e713283ff3c39d9470340 |
| SHA256 | 10d421e27b815c3835ccff890a2be9fb834014a37bce460dfd22ceb9e2cf00f6 |
| SHA512 | 45559bb83faf2a8d615e5cc7b88e44ab3ab796a65828dd995bb0497591fb7b29aff0ff41c8892e370e112443a6744237bd1707ca2204ae282c55c9fbd761c810 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOG
| MD5 | 86efaf1a8666926f0e6efa7f7a27bb6c |
| SHA1 | f39351820a7d988cf72852c886565ee895f9917d |
| SHA256 | 7738f249275e5133c18d8006e56e540ff78a32f22d7d2ddddb24bf9b95e0b9c2 |
| SHA512 | 96ed49f9a23cbb314cfb14129dbc1fc707b37fa9fce57787ef9a9682d6f51c1a6b7b3fe379dfad22c50b7231eaa8613f1d0ad8c1df5fcd238ba897c1919b1030 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 7df9378cd068117811256fbd614f1cca |
| SHA1 | f970084108e2b2020b73f8bb4b53f235a3f20149 |
| SHA256 | 7135e9def2674879e71527bd66db955711abef935673bdbde08cdad398bef493 |
| SHA512 | f8cad8b16e908cb7541ebd2fc23d3eae4fe79f88bb5c334a85c244a330abad0f7f785824a4540ee8487f6cc96249f0058b2dc442b55a7f941312216306ee1729 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Reporting and NEL-journal
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Reporting and NEL
| MD5 | 8dd8360a04d0627d6ee2f9c8c2b6d233 |
| SHA1 | 4367fbe3fa5374554a29f239b0eca798d408c5aa |
| SHA256 | efd13aaf071384b65a9e13b39ac2e0a95f6b4123ed97a7f32be4ef7cfa5236d8 |
| SHA512 | e6ba8202016b8f83ef301277ddb24a3417220c3eebffb1413f40f5e689d8ca6ac8f26ad8ff223652c1cc8b6d06f83202171a7456d92d37d9ee086d9b96559d87 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
| MD5 | 6e5a0fb5efdcc035796b1e6e203bbbc1 |
| SHA1 | fee75b4967e6cfd4f06c36270f273f167a05b047 |
| SHA256 | 76afc4a4e96879c25debe396e33347191b89b953a3ef9c6e01c97440cca96d99 |
| SHA512 | 9c84371aa89ef3aaadcd45f8095ad79f84d7135bf1f83009bf85fd3377f3c33a65873abb1202b3e6e45e5c757efd5a46b7a71d16e5ef4a29cb512865892760c8 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000008
| MD5 | 929729aa7cff46b3dad2f748a57af24c |
| SHA1 | 81aa5db7dd63c79e23ccd23bf2520ab994295f2e |
| SHA256 | 3c63e6c7fa25849799d08bf54988bfb3b77b1d1eebb1e55a94b64995850cba2f |
| SHA512 | a10eaa6f2708b683bd43295b9c3da5840c0eb6d8a6b9e1922a534270fecbc0dcdb4cdcc28768df292a06f6210885b510254bdca17e5b3c507b0337fe7dc3d743 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000007
| MD5 | 5d05ba495d37acd79c70e5b557a0c16c |
| SHA1 | e96ad98168fa375dea9c37c8a3263437224300a7 |
| SHA256 | 21b00ea3a3278814e1e425f24bdeb0fdd79f9cbef6a4417648e711c90fb1660d |
| SHA512 | 90e9777de33256df5104001b3c76ba5c52dd71c883661e0cfb02426d45bfd805cff05bae308589f3d1a451f5163afe59ca6a3107ef0b9343c10b5c436cfb2cae |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000006
| MD5 | f5118dd18af12aba720339dd42830c08 |
| SHA1 | 0ed013d68aea57a1f587fe47e72464f84dc3994a |
| SHA256 | c977fccad202c62d07cca71375b7f710cf97a2679d71e9083f529a38d4e68dcc |
| SHA512 | 8a33bbfe4488d06b47c9664df2832292adc6060a99baf8bda68a751e501a7f61f15825a0e0fba85064f574539de09279b48927d154f4f366de5fec2400c673d9 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000005
| MD5 | 344195b3134218414f9ec76d65c462b9 |
| SHA1 | 13e80dc8ae020fb91259d072d939cabd038fa2ab |
| SHA256 | e9305ffbcf6a27bac5113d58d0f491b8caab480c22d3d63268e14f6d59a45782 |
| SHA512 | 66e8c955f8272ef785536a7e8cc3a3b160cd27520f5a835a3846cc513c5956d022a683089a42320dfd8c04e09998ddfc759a9d33aea271b88355765ed315f175 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_3
| MD5 | c400056b2ea08acaae9db4bb506bcf76 |
| SHA1 | 26c5760d7c7f7f37ac3211c6d5a491fa002926b7 |
| SHA256 | 01e0b5c234c9ed4fed2d1eb9bb6c1e22cbbcc47efe737632a0bbafdaa99d5cf2 |
| SHA512 | c61391c3cc6db7683039fd113e7aeaa5e9357ccafc1701b9ff49354699aba58ab43fd3c35916aef6a954209c2bb7f4dbd1fbdc946b53c90c1ba1d952e4a81835 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_0
| MD5 | 51668952c3a3ab36426b1944f3728e46 |
| SHA1 | fab8bd955484c9bfe2670adf2eb9c58b63006788 |
| SHA256 | 357976c65f912707b145efd874990414a2722f485f3410f91bfd22c8969ccda9 |
| SHA512 | 0ab04d7ef2e8102dcf5cb173c3d52e2ac5a5c2c5259ecf385589b2537bbc4e2f95661d46be5a5ea147a6b9d07d61c95ff5f65badcff446a29acc2b24fdc7a31d |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Last Version
| MD5 | 9eae63c7a967fc314dd311d9f46a45b7 |
| SHA1 | caba9c2c93acfe0b9ceb9ab19b992b0fc19c71cf |
| SHA256 | 4288925b0cf871c7458c22c46936efb0e903802feb991a0e1803be94ca6c251d |
| SHA512 | bed924bff236bf5b6ce1df1db82e86c935e5830a20d9d24697efd82ca331e30604db8d04b0d692ec8541ec6deb2225bcc7d805b79f2db5726642198ecf6348b8 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
| MD5 | 2a1a540b49c7b8cc78b580848772ca36 |
| SHA1 | 0befd7cce06f97f3b62dd7b75f331aa3240b990f |
| SHA256 | 9f7fd5be2ed08f1955745758422d7e3cc8f5c249de32d3932c58093560892921 |
| SHA512 | bf0dc17dd0bcdc2cae7827989c8f98b62962e4002f4e93e8f8161173d27089a21afd7d4a102d432a7b19bbdaa7864abee6988dcc590176d7e7a393c2e419005c |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 0134421278bd8196c677004e39af44d1 |
| SHA1 | 4c225a95b716ad79b2cf28c09e11b7592a46eb41 |
| SHA256 | 84d732f79aa2d96d704a697f394b1b9fce6917ffab648423e26269d69424c3a8 |
| SHA512 | 8248eab16c4f35469ee6dbb7fad0dfd7c9e2f4a6ccaf6be040f6d34952942c6d9b6f1b3c28c1dcf1d04b77a285eec0c8e507c78e352239bb988f5c6c4210a262 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1
| MD5 | f50f89a0a91564d0b8a211f8921aa7de |
| SHA1 | 112403a17dd69d5b9018b8cede023cb3b54eab7d |
| SHA256 | b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec |
| SHA512 | bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | b387506d1d609cdeaacf83ed5064deb2 |
| SHA1 | 6b0593bc8f4c07496cd6baab6298b5b6086310dd |
| SHA256 | bf9944b7bebe993bf81246722865fb2d0060408f3ec4c111f2eeb8fef1a78997 |
| SHA512 | fc18fd97f40b1ce05cdc7d286de08fa15c1474633ebffa912bd7018d6c1085a66dd028a9ea53a98f219de4f1e99de489847f5dcde46efaad46f1cad8c3056a1c |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 95055c1bfc7002c46e872e65649db4f1 |
| SHA1 | d752df17205c45608cc6eb60560fcc2a12591221 |
| SHA256 | dffe9d282d6d6c7e87242224de65c98d3e0bd92eccb7dac4be217091d33b6bc4 |
| SHA512 | db39055e77e1d1f20c9135becf7957634479257170c422e78eedd9ec33237c3660e47faec43c99e9c2586fc8010793490cbc14326e4690005b33ac5682c6fa90 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 5e82967f9315957f704c066ec7a860d9 |
| SHA1 | 4e2fa8f5e8eebc714ba54958019f0f45517bbc70 |
| SHA256 | daeb6266dc42a3209f5ddbf6cb86c4c5097236690f0dbe672dd462c014d98532 |
| SHA512 | d1cbd0f484ab1da92a1e129a961bdf5d5d844d5835ae47cfb121f534b3bb1e2615b2300e60029b2bb322dd34a1dc0741b66aeeb4d9510fc1833cb2a47c1a5e7f |
memory/2956-372-0x00007FFB12620000-0x00007FFB130E1000-memory.dmp
memory/2956-373-0x0000000002C70000-0x0000000002C80000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\sihost.exe.log
| MD5 | baf55b95da4a601229647f25dad12878 |
| SHA1 | abc16954ebfd213733c4493fc1910164d825cac8 |
| SHA256 | ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924 |
| SHA512 | 24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545 |
memory/2956-377-0x00007FFB12620000-0x00007FFB130E1000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | f45910e8ebe9f0df6e5ef903df0657e1 |
| SHA1 | f924a2c44cfa1412c05d9e4da383934da2a1ba9c |
| SHA256 | 18f41bf18c4df300bc34ecde651f6b6b47d5378776bdc1e369d2def06e510aec |
| SHA512 | aed953f6cffcf893d48264b5c6429f1edbe8c815e7f8180827529b5df1dc5f53c69fc1e47da624c0bc6c94c2b0981c8dd221dad89be023f3fc48d1176fd451f4 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | ca0f788e62d611d48989651496d0362b |
| SHA1 | 625725b3b1f71c2e3d2cbfc15c9488090049a76f |
| SHA256 | 59981c1aa6ee94a24b2aca33ebf581d69c2cd4cf3d5f86217961a07fab442219 |
| SHA512 | 0c75767f4ba3c95273de18c51fb1d50e9795e97daf23fd99acf31079583befde873d9c7ab2db7793aa1a9e7babbc02679cd658d6e8c3b05c65d224b04a8808f3 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
| MD5 | 43a86868b757012518d4963cb542d5fe |
| SHA1 | e79c4540f89d45f526ea5c8ca189b31f39fbb338 |
| SHA256 | 2f927cce18ea6bd2b9094704ccfca95d5b4de7c02254b1d899ef9f4029357e28 |
| SHA512 | f1cef761b22d4ad3ec24769c65e12ff1ebd4727d2a6a8c22c530cc1f13c110ed684cdd9e535726890b1969222e008e0d4574a5a4f284f2a8090c5b9a87f6cb90 |
C:\Users\Admin\AppData\Local\Temp\Untitled.png
| MD5 | 8b54f4a71994d75f03d925e39b270266 |
| SHA1 | 1cc3fb083cecb12eb9ea7a2296c88e68cd8ce7f8 |
| SHA256 | 8fa966daba967f094792660843018f290ff549dbed28a9c02e8cffd795f08c76 |
| SHA512 | 16291f11162869bb7a9958b851f79bad6af4c90376fb98d111debe4536c9d4eda9738be0b82d1bb9f26e45a881987f901d1b14f806ccd1f411dc2e75acdd72be |
memory/376-432-0x00007FFB12620000-0x00007FFB130E1000-memory.dmp
memory/376-433-0x000000001B5A0000-0x000000001B5B0000-memory.dmp
memory/3092-434-0x00007FFB12620000-0x00007FFB130E1000-memory.dmp
memory/2988-435-0x0000000002980000-0x0000000002990000-memory.dmp
memory/2988-436-0x00007FFB12620000-0x00007FFB130E1000-memory.dmp
memory/376-437-0x00007FFB12620000-0x00007FFB130E1000-memory.dmp
memory/2988-439-0x00007FFB12620000-0x00007FFB130E1000-memory.dmp
memory/3092-441-0x00007FFB12620000-0x00007FFB130E1000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
| MD5 | 5ad0ab3cf0f7dda6ca4e3f90bcb19154 |
| SHA1 | 67eaa1b3e9bfe098fd3b4173398c14f52b86cee5 |
| SHA256 | f143ff02e7e0bdb1f81e2f86869e0eceddcb01f7c81116a8dc8d53867cfaa6d7 |
| SHA512 | 668654b4a308a0b517e666e5e0c64ad9e814e27c6dd144b7f480b312b05328147672d150048be84d7b585065c501285bcc57a951aa36d151fb94848f8fd14afb |
memory/4032-451-0x00007FFB12620000-0x00007FFB130E1000-memory.dmp
memory/4032-452-0x0000000002380000-0x0000000002390000-memory.dmp
memory/1788-453-0x00007FFB12620000-0x00007FFB130E1000-memory.dmp
memory/4032-454-0x00007FFB12620000-0x00007FFB130E1000-memory.dmp
memory/1788-456-0x00007FFB12620000-0x00007FFB130E1000-memory.dmp
memory/640-457-0x00007FFB12620000-0x00007FFB130E1000-memory.dmp
memory/4400-458-0x00007FFB12620000-0x00007FFB130E1000-memory.dmp
memory/4400-459-0x000000001B030000-0x000000001B040000-memory.dmp
memory/3592-460-0x00007FFB12620000-0x00007FFB130E1000-memory.dmp
memory/4384-461-0x00007FFB12620000-0x00007FFB130E1000-memory.dmp
memory/640-462-0x000000001BCE0000-0x000000001BCF0000-memory.dmp
memory/3592-463-0x0000000001600000-0x0000000001610000-memory.dmp
memory/460-464-0x00007FFB12620000-0x00007FFB130E1000-memory.dmp
memory/4400-465-0x00007FFB12620000-0x00007FFB130E1000-memory.dmp
memory/4384-467-0x00007FFB12620000-0x00007FFB130E1000-memory.dmp
memory/640-468-0x00007FFB12620000-0x00007FFB130E1000-memory.dmp
memory/3592-469-0x00007FFB12620000-0x00007FFB130E1000-memory.dmp
memory/460-471-0x00007FFB12620000-0x00007FFB130E1000-memory.dmp
memory/3780-479-0x0000000000BF0000-0x0000000000BF8000-memory.dmp
memory/1328-481-0x00007FFB12620000-0x00007FFB130E1000-memory.dmp
memory/2912-482-0x00007FFB12620000-0x00007FFB130E1000-memory.dmp
memory/2912-483-0x000000001B3A0000-0x000000001B3B0000-memory.dmp
memory/4812-484-0x0000000002A00000-0x0000000002A10000-memory.dmp
memory/4812-485-0x00007FFB12620000-0x00007FFB130E1000-memory.dmp
memory/3780-486-0x000000001B1F0000-0x000000001B200000-memory.dmp
memory/3780-487-0x000000001B1F0000-0x000000001B200000-memory.dmp
memory/1328-489-0x00007FFB12620000-0x00007FFB130E1000-memory.dmp
memory/2912-491-0x00007FFB12620000-0x00007FFB130E1000-memory.dmp
memory/4812-493-0x00007FFB12620000-0x00007FFB130E1000-memory.dmp
memory/3780-494-0x00007FFB12620000-0x00007FFB130E1000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
| MD5 | d5e535e98350bc9b20b09f97ef91564d |
| SHA1 | 0406e87bcf4650599496a11286874a5197e47014 |
| SHA256 | 2d6a58669e655683d6ada04fabf0f9370a55e685956bd90f5361db69db618400 |
| SHA512 | 91f091554a0437d5c2c0124dca2990aebacfe664bda149d77adff32ed87c56b1a0a5f28dc462c334b290264ddfb52205923175ce96e01e53a0be5ed28c4277e9 |
memory/2988-504-0x00007FFB12640000-0x00007FFB13101000-memory.dmp
memory/2988-505-0x00000000023B0000-0x00000000023C0000-memory.dmp
memory/2988-506-0x00007FFB12640000-0x00007FFB13101000-memory.dmp