Malware Analysis Report

2025-03-15 06:27

Sample ID 240120-xwla1afadk
Target Server.exe
SHA256 7601e36c6dd6488341edceb189d99cb578b571fc8ffbcf09e16d073f518cd588
Tags
hacked njrat bootkit evasion persistence ransomware trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7601e36c6dd6488341edceb189d99cb578b571fc8ffbcf09e16d073f518cd588

Threat Level: Known bad

The file Server.exe was found to be: Known bad.

Malicious Activity Summary

hacked njrat bootkit evasion persistence ransomware trojan upx

UAC bypass

Njrat family

Disables RegEdit via registry modification

Modifies Windows Firewall

Disables Task Manager via registry modification

Modifies Installed Components in the registry

Executes dropped EXE

UPX packed file

Drops startup file

Enumerates connected drives

Legitimate hosting services abused for malware hosting/C2

Checks whether UAC is enabled

Adds Run key to start application

Writes to the Master Boot Record (MBR)

AutoIT Executable

Sets desktop wallpaper using registry

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Modifies Internet Explorer settings

Checks processor information in registry

Modifies Control Panel

Modifies data under HKEY_USERS

Suspicious use of SetWindowsHookEx

Enumerates system info in registry

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Modifies registry class

Checks SCSI registry key(s)

Kills process with taskkill

System policy modification

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-20 19:12

Signatures

Njrat family

njrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-20 19:12

Reported

2024-01-20 19:25

Platform

win10-20231215-en

Max time kernel

655s

Max time network

679s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Server.exe"

Signatures

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\tmp7C93.tmp.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\tmp7C93.tmp.exe N/A

Disables Task Manager via registry modification

evasion

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1cd0600c7b04b837ffda8d644f5a187f.exe C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1cd0600c7b04b837ffda8d644f5a187f.exe C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\startup.exe C:\Users\Admin\AppData\Local\Temp\tmp7C93.tmp.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\startup.exe C:\Users\Admin\AppData\Local\Temp\tmp7C93.tmp.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\1cd0600c7b04b837ffda8d644f5a187f = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Server.exe\" .." C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000\Software\Microsoft\Windows\CurrentVersion\Run\1cd0600c7b04b837ffda8d644f5a187f = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Server.exe\" .." C:\Users\Admin\AppData\Local\Temp\Server.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\tmp7C93.tmp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\tmp7C93.tmp.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\w: C:\Users\Admin\AppData\Local\Temp\Locker.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\WScript.exe N/A
File opened (read-only) \??\H: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\J: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\U: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\p: C:\Users\Admin\AppData\Local\Temp\Locker.exe N/A
File opened (read-only) \??\N: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\R: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\WScript.exe N/A
File opened (read-only) \??\o: C:\Users\Admin\AppData\Local\Temp\Locker.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\WScript.exe N/A
File opened (read-only) \??\O: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\S: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\WScript.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\WScript.exe N/A
File opened (read-only) \??\g: C:\Users\Admin\AppData\Local\Temp\Locker.exe N/A
File opened (read-only) \??\s: C:\Users\Admin\AppData\Local\Temp\Locker.exe N/A
File opened (read-only) \??\v: C:\Users\Admin\AppData\Local\Temp\Locker.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\WScript.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\WScript.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\WScript.exe N/A
File opened (read-only) \??\A: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\K: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\P: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\V: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\x: C:\Users\Admin\AppData\Local\Temp\Locker.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\WScript.exe N/A
File opened (read-only) \??\B: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\T: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\e: C:\Users\Admin\AppData\Local\Temp\Locker.exe N/A
File opened (read-only) \??\j: C:\Users\Admin\AppData\Local\Temp\Locker.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\WScript.exe N/A
File opened (read-only) \??\M: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\Q: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\y: C:\Users\Admin\AppData\Local\Temp\Locker.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\WScript.exe N/A
File opened (read-only) \??\I: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\r: C:\Users\Admin\AppData\Local\Temp\Locker.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\WScript.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\WScript.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\WScript.exe N/A
File opened (read-only) \??\G: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\Z: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\h: C:\Users\Admin\AppData\Local\Temp\Locker.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\WScript.exe N/A
File opened (read-only) \??\q: C:\Users\Admin\AppData\Local\Temp\Locker.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\WScript.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\WScript.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\WScript.exe N/A
File opened (read-only) \??\E: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\W: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\F: C:\Windows\explorer.exe N/A
File opened (read-only) \??\k: C:\Users\Admin\AppData\Local\Temp\Locker.exe N/A
File opened (read-only) \??\X: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\D: C:\Windows\explorer.exe N/A
File opened (read-only) \??\a: C:\Users\Admin\AppData\Local\Temp\Locker.exe N/A
File opened (read-only) \??\m: C:\Users\Admin\AppData\Local\Temp\Locker.exe N/A
File opened (read-only) \??\L: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\l: C:\Users\Admin\AppData\Local\Temp\Locker.exe N/A
File opened (read-only) \??\z: C:\Users\Admin\AppData\Local\Temp\Locker.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\WScript.exe N/A
File opened (read-only) \??\b: C:\Users\Admin\AppData\Local\Temp\Locker.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\WScript.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\WScript.exe N/A

Legitimate hosting services abused for malware hosting/C2

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\tmp7C93.tmp.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wl.jpg" C:\Users\Admin\AppData\Local\Temp\Locker.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\system32\mspaint.exe N/A
File created C:\Windows\xina.exe C:\Users\Admin\AppData\Local\Temp\tmp7C93.tmp.exe N/A
File opened for modification C:\Windows\xina.exe C:\Users\Admin\AppData\Local\Temp\tmp7C93.tmp.exe N/A
File created C:\Windows\rescache\_merged\2717123927\3950266016.pri C:\Windows\explorer.exe N/A
File created C:\Windows\rescache\_merged\1601268389\3877292338.pri C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe N/A
File created C:\Windows\rescache\_merged\4032412167\2900507189.pri C:\Windows\explorer.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Capabilities C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Capabilities C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags C:\Windows\explorer.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\System32\taskkill.exe N/A
N/A N/A C:\Windows\System32\taskkill.exe N/A
N/A N/A C:\Windows\System32\taskkill.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\Locker.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "858503377" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31083477" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000021097fc79ccb0e46b7acd080b74ee93e00000000020000000000106600000001000020000000dcaa003ea7c3c99e238d0228bc4a194643a83d079347662df405eeecc71ec454000000000e80000000020000200000001c2e0aa8dff8fa9b6ec703efa751f06bd45b079c57e2fb3086e5e1532897c97f20000000b7ee7b0da8a48725b88dd5368c0d6cd24ba5775f43b2e363686dbdc2803178ff40000000d251f02dcd48248c7b53db40006b3e7245730ee00e332d515ea77a3d825048ef33887fbd284e25db7f29bd404147c7aa9eaefabd8791a94c58a902bf4b2f4b6a C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 00616e33d54bda01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{5EBD7FFA-B7C8-11EE-945A-5A4B9B3770F9} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31083477" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "858503377" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000021097fc79ccb0e46b7acd080b74ee93e00000000020000000000106600000001000020000000f735851d318c0a78fcf40ece506fa39dcec67755ff5d31cac191f1ab48074350000000000e8000000002000020000000d631568c815058bba444fd7b2fb95347b1b71d7d1cbc87d723409415cfaba839200000000447e0d6374e37e90fd86cd26bd6a6a6bc5e3be6baa108fb5c735a97a83c6e1740000000c095bd96ca40d08650d53c3155b32fca4266aa22395361412e721d7d313e738b7a1f8e1c103191d35113da277eef935d57a5149222bc9aba2fd1b71ece745fca C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000\Software\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.15063.0\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000\Software\Microsoft\Internet Explorer\MINIE C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 00d27033d54bda01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133502517144694881" C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe N/A
Key created \REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152" C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "23" C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\UserStartTime = "133471047317365320" C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "56" C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "56" C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe N/A
Key created \REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.cortana C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe N/A
Key created \REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.cortana C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe N/A
Key created \REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe N/A
Key created \REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185" C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "23" C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe N/A
Key created \REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DomStorageState C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe N/A
Key created \REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\Ention.exe N/A
Key created \REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000_Classes\Local Settings C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe N/A
Key created \REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe N/A
Key created \REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000_Classes\Local Settings C:\Windows\System32\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\IconStreams = 14000000070000000100010005000000140000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b0072000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001c100000000000002000000e80701004100720067006a006200650078002000200033000a005600610067007200650061007200670020006e007000700072006600660000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000074ae2078e323294282c1e41cb67d5b9c00000000000000000000000016d418c8d54bda0100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000020000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000002000000e80701004600630072006e0078007200650066003a002000360037002500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000000100000073ae2078e323294282c1e41cb67d5b9c00000000000000000000000093250ec8d54bda0100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000030000007b00360051003800300039003300370037002d0036004e00530030002d003400340034004f002d0038003900350037002d004e00330037003700330053003000320032003000300052007d005c004a0076006100710062006a0066002000510072007300720061007100720065005c005a0046004e00460050006800760059002e0072006b007200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000000000000e7070c004e0070006700760062006100660020006100720072007100720071002e00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000fffffffff9a6406d323dcb4f8a86be992e03dc760000000000000000000000004faa1b18362fda0100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e7070c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff75ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e7070c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff81ae2078e323294282c1e41cb67d5b9c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe N/A
Key created \REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\tmp1208.tmp.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 212 wrote to memory of 4580 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe C:\Windows\SysWOW64\netsh.exe
PID 212 wrote to memory of 4580 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe C:\Windows\SysWOW64\netsh.exe
PID 212 wrote to memory of 4580 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe C:\Windows\SysWOW64\netsh.exe
PID 212 wrote to memory of 4528 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe C:\Users\Admin\AppData\Local\Temp\tmp50F9.tmp.exe
PID 212 wrote to memory of 4528 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe C:\Users\Admin\AppData\Local\Temp\tmp50F9.tmp.exe
PID 3884 wrote to memory of 2420 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3884 wrote to memory of 2420 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3884 wrote to memory of 3080 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3884 wrote to memory of 3080 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3884 wrote to memory of 3080 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3884 wrote to memory of 3080 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3884 wrote to memory of 3080 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3884 wrote to memory of 3080 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3884 wrote to memory of 3080 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3884 wrote to memory of 3080 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3884 wrote to memory of 3080 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3884 wrote to memory of 3080 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3884 wrote to memory of 3080 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3884 wrote to memory of 3080 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3884 wrote to memory of 3080 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3884 wrote to memory of 3080 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3884 wrote to memory of 3080 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3884 wrote to memory of 3080 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3884 wrote to memory of 3080 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3884 wrote to memory of 3080 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3884 wrote to memory of 3080 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3884 wrote to memory of 3080 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3884 wrote to memory of 3080 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3884 wrote to memory of 3080 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3884 wrote to memory of 3080 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3884 wrote to memory of 3080 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3884 wrote to memory of 3080 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3884 wrote to memory of 3080 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3884 wrote to memory of 3080 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3884 wrote to memory of 3080 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3884 wrote to memory of 3080 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3884 wrote to memory of 3080 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3884 wrote to memory of 3080 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3884 wrote to memory of 3080 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3884 wrote to memory of 3080 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3884 wrote to memory of 3080 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3884 wrote to memory of 3080 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3884 wrote to memory of 3080 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3884 wrote to memory of 3080 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3884 wrote to memory of 3080 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3884 wrote to memory of 3084 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3884 wrote to memory of 3084 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3884 wrote to memory of 1860 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3884 wrote to memory of 1860 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3884 wrote to memory of 1860 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3884 wrote to memory of 1860 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3884 wrote to memory of 1860 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3884 wrote to memory of 1860 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3884 wrote to memory of 1860 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3884 wrote to memory of 1860 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3884 wrote to memory of 1860 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3884 wrote to memory of 1860 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3884 wrote to memory of 1860 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3884 wrote to memory of 1860 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3884 wrote to memory of 1860 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3884 wrote to memory of 1860 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3884 wrote to memory of 1860 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3884 wrote to memory of 1860 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3884 wrote to memory of 1860 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "1" C:\Users\Admin\AppData\Local\Temp\tmp7C93.tmp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\tmp7C93.tmp.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\Server.exe

"C:\Users\Admin\AppData\Local\Temp\Server.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Server.exe" "Server.exe" ENABLE

C:\Users\Admin\AppData\Local\Temp\tmp50F9.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp50F9.tmp.exe"

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x350

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffb4f4e9758,0x7ffb4f4e9768,0x7ffb4f4e9778

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1836 --field-trial-handle=2068,i,10168092327241944071,2808898442713564537,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1800 --field-trial-handle=2068,i,10168092327241944071,2808898442713564537,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1564 --field-trial-handle=2068,i,10168092327241944071,2808898442713564537,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3004 --field-trial-handle=2068,i,10168092327241944071,2808898442713564537,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2996 --field-trial-handle=2068,i,10168092327241944071,2808898442713564537,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4436 --field-trial-handle=2068,i,10168092327241944071,2808898442713564537,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4676 --field-trial-handle=2068,i,10168092327241944071,2808898442713564537,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4804 --field-trial-handle=2068,i,10168092327241944071,2808898442713564537,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4760 --field-trial-handle=2068,i,10168092327241944071,2808898442713564537,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5020 --field-trial-handle=2068,i,10168092327241944071,2808898442713564537,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5112 --field-trial-handle=2068,i,10168092327241944071,2808898442713564537,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe" --reenable-autoupdates --system-level

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5112 --field-trial-handle=2068,i,10168092327241944071,2808898442713564537,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x24c,0x250,0x254,0x228,0x258,0x7ff6f8107688,0x7ff6f8107698,0x7ff6f81076a8

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe" --reenable-autoupdates --system-level

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x24c,0x250,0x254,0x64,0x258,0x7ff6f8107688,0x7ff6f8107698,0x7ff6f81076a8

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\RepairMount.xsl

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1556 CREDAT:82945 /prefetch:2

C:\Windows\system32\mspaint.exe

"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\CloseRegister.dib"

\??\c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s DeviceAssociationService

C:\Users\Admin\AppData\Local\Temp\tmpEB2D.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpEB2D.tmp.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\EB5B.tmp\EB5C.tmp\EB5D.bat C:\Users\Admin\AppData\Local\Temp\tmpEB2D.tmp.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\3.VBS"

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x39c

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3852.0.2109319935\1912898306" -parentBuildID 20221007134813 -prefsHandle 1704 -prefMapHandle 1700 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {cd468761-6c56-451b-970b-bc802a56d494} 3852 "\\.\pipe\gecko-crash-server-pipe.3852" 1784 20dd7ed4e58 gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3852.1.600643934\1601323613" -parentBuildID 20221007134813 -prefsHandle 2108 -prefMapHandle 2096 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a2dbbfbf-a108-4295-b517-a02b1b567b82} 3852 "\\.\pipe\gecko-crash-server-pipe.3852" 2132 20dcce72258 socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3852.2.1040698632\901034700" -childID 1 -isForBrowser -prefsHandle 2944 -prefMapHandle 2644 -prefsLen 20866 -prefMapSize 233444 -jsInitHandle 1376 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c8fbfa5f-3b90-4914-9b3a-46606c82864e} 3852 "\\.\pipe\gecko-crash-server-pipe.3852" 2808 20dd7e5b758 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3852.3.883549603\1178929915" -childID 2 -isForBrowser -prefsHandle 3368 -prefMapHandle 3364 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1376 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a6a2c945-4f73-4d16-9439-2a31db83b786} 3852 "\\.\pipe\gecko-crash-server-pipe.3852" 3376 20dcce61f58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3852.4.778208152\1375262193" -childID 3 -isForBrowser -prefsHandle 4196 -prefMapHandle 4184 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1376 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d1b8d20f-5c40-4df8-8767-fab37efe4ac0} 3852 "\\.\pipe\gecko-crash-server-pipe.3852" 4208 20ddcfe0c58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3852.7.1048989642\759221270" -childID 6 -isForBrowser -prefsHandle 5172 -prefMapHandle 5176 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1376 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {55457ae7-dc70-4842-9031-8a7cebb20413} 3852 "\\.\pipe\gecko-crash-server-pipe.3852" 5164 20dde0c3058 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3852.6.1803477440\791305317" -childID 5 -isForBrowser -prefsHandle 4972 -prefMapHandle 4976 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1376 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {639f1dbb-029a-48a1-904b-25e490d5b562} 3852 "\\.\pipe\gecko-crash-server-pipe.3852" 5056 20dde0c3358 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3852.5.869593828\1169843573" -childID 4 -isForBrowser -prefsHandle 4836 -prefMapHandle 4832 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1376 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0cb65a0b-85c6-484f-93f6-d2cffe8d1435} 3852 "\\.\pipe\gecko-crash-server-pipe.3852" 4848 20ddcfe1258 tab

C:\Users\Admin\AppData\Local\Temp\tmp31B3.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp31B3.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmp7C93.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp7C93.tmp.exe"

C:\Windows\System32\taskkill.exe

"C:\Windows\System32\taskkill.exe" /f /im explorer.exe

C:\Windows\explorer.exe

"C:\Windows\explorer.exe"

C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe

"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca

C:\Users\Admin\AppData\Local\Temp\tmp1104.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp1104.tmp.exe"

C:\Windows\System32\taskkill.exe

"C:\Windows\System32\taskkill.exe" /f /im explorer.exe

C:\Windows\System32\taskkill.exe

"C:\Windows\System32\taskkill.exe" /f /im explorer.exe

C:\Users\Admin\AppData\Local\Temp\tmp3FD1.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp3FD1.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\Locker.exe

"C:\Users\Admin\AppData\Local\Temp\Locker.exe"

C:\Users\Admin\AppData\Local\Temp\Ention.exe

"C:\Users\Admin\AppData\Local\Temp\Ention.exe"

C:\Windows\SysWOW64\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Новый текстовый документ.txt

C:\Program Files\VideoLAN\VLC\vlc.exe

"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\tmp4DAD.tmp.mp4"

C:\Users\Admin\AppData\Local\Temp\tmp1208.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp1208.tmp.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\play.vbs"

C:\Windows\SysWOW64\shutdown.exe

shutdown -s -t 00

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x0 /state0:0xa3abf855 /state1:0x41c64e6d

Network

Country Destination Domain Proto
US 8.8.8.8:53 5.tcp.eu.ngrok.io udp
DE 3.67.112.102:14539 5.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 102.112.67.3.in-addr.arpa udp
DE 3.67.112.102:14539 5.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 5.tcp.eu.ngrok.io udp
DE 3.127.181.115:14539 5.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 115.181.127.3.in-addr.arpa udp
US 8.8.8.8:53 35.197.79.40.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
GB 216.58.204.68:443 www.google.com tcp
GB 216.58.204.68:443 www.google.com tcp
US 8.8.8.8:53 195.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 68.204.58.216.in-addr.arpa udp
US 8.8.8.8:53 227.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 clients2.google.com udp
GB 142.250.179.238:443 clients2.google.com tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 238.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 5.tcp.eu.ngrok.io udp
DE 3.67.112.102:14539 5.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 161.19.199.152.in-addr.arpa udp
US 8.8.8.8:53 5.tcp.eu.ngrok.io udp
DE 18.158.58.205:14539 5.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 205.58.158.18.in-addr.arpa udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 content-signature-2.cdn.mozilla.net udp
US 34.160.144.191:443 content-signature-2.cdn.mozilla.net tcp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 34.117.237.239:443 contile.services.mozilla.com tcp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.services.mozilla.com udp
US 8.8.8.8:53 push.services.mozilla.com udp
US 44.236.218.50:443 shavar.services.mozilla.com tcp
US 8.8.8.8:53 firefox.settings.services.mozilla.com udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 34.149.100.209:443 firefox.settings.services.mozilla.com tcp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 34.107.243.93:443 autopush.prod.mozaws.net tcp
US 8.8.8.8:53 50.218.236.44.in-addr.arpa udp
N/A 127.0.0.1:50096 tcp
N/A 127.0.0.1:50102 tcp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
US 8.8.8.8:53 discord.com udp
US 162.159.128.233:443 discord.com tcp
US 8.8.8.8:53 233.128.159.162.in-addr.arpa udp

Files

memory/212-0-0x0000000073620000-0x0000000073BD0000-memory.dmp

memory/212-1-0x0000000001340000-0x0000000001350000-memory.dmp

memory/212-2-0x0000000073620000-0x0000000073BD0000-memory.dmp

memory/212-4-0x0000000001340000-0x0000000001350000-memory.dmp

memory/212-5-0x0000000073620000-0x0000000073BD0000-memory.dmp

memory/212-6-0x0000000001340000-0x0000000001350000-memory.dmp

memory/212-7-0x0000000073620000-0x0000000073BD0000-memory.dmp

memory/212-8-0x0000000001340000-0x0000000001350000-memory.dmp

C:\Users\Public\Desktop\Acrobat Reader DC.lnk

MD5 788784f8fd187837c82d9755eb419e44
SHA1 7e8b19c68f01a99374afa0306b97b17eb1cd07ce
SHA256 47c4b2b6b25de2f1e4c4ae5cf2682d3f668a6ab5f2e1c99e9261ea19c46b0f50
SHA512 49e877e83630b9c7b3b8be2ab0627ffd5d050dbcedf33725fe40db46685e6a4ddb3e0082682a74507c86a25ea5c41fcbc78ae125271ad04f15ec05d38733fbcc

C:\Users\Admin\AppData\Local\Temp\tmp50F9.tmp.exe

MD5 b58eb88c37da68bb5ea0786ae63a5316
SHA1 3a5437d5a63bb06cc69a0abaf314d277779c63de
SHA256 8ecaff64a753ccaccbad18ce44b5e3a231e2f6de0772e5aa984f75821650ac17
SHA512 29087f93a14bac11acbe10f1d48a50a30edc7e7f88629aa849c0176c3bb9fa7ded585a9689e4481fdb06b04c0fb09626f1f39bd2a7e403ca7da7e04d0522f8bf

C:\Users\Admin\AppData\Local\Temp\tmp50F9.tmp.exe

MD5 2f86f1f16f4e2e28fcbb331430c6ceec
SHA1 a7b2e0eaf4b05a2dd3a1c58126e248fc18cb1eb1
SHA256 e90e90887cdc477882a735b5900380c532bf64322d18da1bef79c860f206c9e1
SHA512 9bdd0d75b33f88af8e8a91c2fa8f383a121ba9a9c006385a40af7ee48fa75d1e2b740788efc3a775661bba1fc8027987363b0d0c27d7b883295898f2d2337f8c

memory/4528-15-0x00000159F9B90000-0x00000159F9C7C000-memory.dmp

memory/4528-16-0x00007FFB4E380000-0x00007FFB4ED6C000-memory.dmp

memory/4528-17-0x00000159FC410000-0x00000159FC420000-memory.dmp

memory/4528-20-0x00007FFB4E380000-0x00007FFB4ED6C000-memory.dmp

memory/4528-21-0x00007FFB4E380000-0x00007FFB4ED6C000-memory.dmp

C:\Users\Admin\Desktop\StepCompare.wmf

MD5 29a643d3506f4535898b9cfc90a3b5c8
SHA1 0a8fd6dc54902e9ccf6aa0352d124126490f5c17
SHA256 369ac4a33d2045c3bb2923bc3b09673e519e3b2f80a966efe6cd438c37cfa9ad
SHA512 9215425f650fc4a9eb84e9a60b5cafbefd8ade92a7051132a9bdf03de65ddb3af0905a4812bb996be6d885428c7bd06e3ffc43c7389d0adcd8cada65198fdef6

C:\Users\Admin\Desktop\TestConnect.mp4

MD5 28123738a2f4238ce0b9fdff4613f96f
SHA1 33ffc1e384e820b18a7243adb4591b111e14f97f
SHA256 6ea01fcc386a0ba646bf91f1a12615852868ccd7b693eecb74ea960e96cc26b9
SHA512 bf0086f929c5d8adb300f73cda5a7c52af23fee114e1847ed82b25253f74d55d0dc6a3435363f360f2ecffcf0f24c8d2abef1239dd14252c5f0729756b439611

C:\Users\Admin\Desktop\ResetJoin.mpg

MD5 664e30810e965f7879c294177a208b2b
SHA1 3377e956a028942418553d29fb10d7a88d86819f
SHA256 de2a9f1dcaeb88c88f28b82d3972ec18c88fd1e1f1e67a8a7fa43d94b68f8511
SHA512 f94040d52dc1fbe835084eb527b672df8aeb09a2c55f692df6967d2eafb61aa0579e82372cdbf3cfe7427d352854a16af328a78d0075427e4ec0e786e4b3e937

C:\Users\Admin\Desktop\PingSelect.ttf

MD5 974da592751d11f4ebca42a431a3ea84
SHA1 eb15130568908fed147071c66b41dad75d83fb5e
SHA256 d34963ad9feb83f9b38396714924e1354d00d9df5d70d8d5e93bf453162646e3
SHA512 ada3b5ecec9c60c734307c0673d13f78c37b7cf47e11433e54bb9444ea869c1dc2d11ac64024ceb52c91a36bd4b870854b03657e891abe9f1adcbde6f0368572

C:\Users\Admin\Desktop\DisconnectLimit.wav

MD5 a13bc3309ce0f2b2c84adf81f5da8efc
SHA1 d5e432e265aeead8c5360bdbac0b8b089d64dc9c
SHA256 d200334e14939e69f7b9cf8e9867649a39fba08cc8281de904cd2568017615b6
SHA512 cd0602f688df36f93d64b9dfd781dd05c79f15a2d57a06314595eb78f5f05ec211b2e9f659adfba8bd199a7c5a29dc2d18768bacbc639c034a8fd5abf1204c06

\??\pipe\crashpad_3884_WLXICAOEUADJFJIA

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

MD5 99914b932bd37a50b983c5e7c90ae93b
SHA1 bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA256 44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA512 27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 10095dabc3b899ff5124d78b7c5c65ce
SHA1 dfc705c450ee72730d116274abb6a13f26ad3fc2
SHA256 ae682c61c0f066d272f0617b05a7f31587d3ad959061f6b64e8289651ac3815b
SHA512 baa849a116b6d39d22287d09d206bdf5f6456cb3d96f7cc0890982ed846bacf940db3570bd256a46a643b5e0646daaf780462234fb68cde69f443cfe60e915ee

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 fb14d2cc6175aa24197c744760bdc8ab
SHA1 724e9caa841ee43403294c858f694b6516506181
SHA256 a3999b6886ded0dad7eeb020236b3c1f42983eeb6bbf85efe5057fccb2ebb7e0
SHA512 60fbbe078a7f3e36c6407b40344865953eb81ae6c185dee268009e1fa527e683676c37ff475c498dbf8e575a260626e1b1f338cabd0dc3c633854ee6d499fc30

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 456953ea47745835d50edb4813385144
SHA1 a7653b803d4b0bb3946b85ffb88fe825706e1aa3
SHA256 87e14c6c2e65bd2862bba206ad70327c187fce2de7c9e702bb56e6974f651a1f
SHA512 63e9aecc2d50b46b2f2cff2be1d3b3885fcf23481d34fd97209cc7fc03fbdcc7d239cb9b8f78025333ad8adc5b8127eafc604e6bfcb9f8cc0e309073e5845d93

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

MD5 71c16ee2315419c09a3f5effc18c1995
SHA1 a5f4a2312d385d5debc99c59f64daf98c9f28249
SHA256 5e9ed5544a7e6d967ae0e4d385c57bb202378d66992ddb04a056203f663e6fc1
SHA512 2f87159391a88852ef672aeb4bc4954279724885f70c68070687a8ace8a19fff0012456bb8634b79aa92faefd9662d213e1f1a687bd3a9b3d9143dae125e1895

C:\Windows\TEMP\Crashpad\settings.dat

MD5 6e8a152f5bb0175af803cdba436686f8
SHA1 8b0ca1c31164b45a83f29f83b544234c799ea200
SHA256 1bae624649d0dba0f11ece64025ec2e6621fe88806972a7217c70d26cd844bde
SHA512 498a1b120f03965c593274f7975ca0c273d5da3956cfe1952e81b144fe9f932fd8ac3dc3721c12bcc158ba4b921b80153c91ad153ffdda51c8049617e9ab180b

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\9657bfa1-66be-4c0f-abee-225d3d93b804.tmp

MD5 915f6ed54be8da5e4d8d596a07b3e918
SHA1 6012bb3bc2c39186f4ebfb33d7eb70eff4427410
SHA256 80465ba19f29a7d9614a2eae04802cef37d042684aed1f48daa007810f730c4f
SHA512 1f7a42a0dcbbc3a2193a2450760924a28f2b8c6c747078ae9ce5ef1f777af289616d2ac569e6cf1fecf0b8cff3aa4f0fd53d274feba76bdb449f048e67aa5452

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 49a878929f823a1179890631049df74f
SHA1 00eaece5ee6c58661d9932112fe77145a5c6c112
SHA256 b42eb2303feb8825fc860ac508a485f6c7dd42fbf98ebd9cfd6098af495ed32c
SHA512 34b6a48a91626f51296d5a6187fe494f2d0bdd983366fb7444a47d732257856b8f3f396d257b45d976292ad5c8ad42d4f6ca259c08d8a2f7828a06dc08961678

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 1cfb2caf9f5be4500fa6e7eb5ea0fa5f
SHA1 73398271a2af57bc7810b03aba13e7de8bcc0ede
SHA256 0892bee244def47797bf4e3f2e8a91f15c1079289a9c49ebb69682edeb7394ec
SHA512 d0019066ca8ef7f5a6436de98e0ddb0da803ce8afa18090b8419a8c7c1e4db1a3297391483376e5986906437daf78bde1bc3ff82cf311ee17625b51458e909fd

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

MD5 f50f89a0a91564d0b8a211f8921aa7de
SHA1 112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256 b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512 bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

C:\Users\Admin\Desktop\UnregisterMerge.vstm

MD5 00e6da8883cf8f302da1b6eeb32536c6
SHA1 ebe00fd12920623cb5bfb0c2518162f6b6c4f320
SHA256 5653de65ce17704739dae5ea037dc49691e02b67acf977beb36db25d61323ead
SHA512 c9422c78a2b2869b5428ebbc7a9138c7b102f16043797c74078ccc66c0a13161be99fcec53e72d576e1cff99500c3a64af45e49a15a908f12c003e55ca8d0f00

C:\Users\Admin\Desktop\SyncSkip.eps

MD5 6bf1e4e1dececa0a3f1b373f9ccf0869
SHA1 0d09d7603df0dd4fb9d5f3828dedf4edb0e43f40
SHA256 f7e8df54eec7262302cee52636a84c132928afd47ac605be2bdaa3719927789f
SHA512 97a47c7588728d1729817b95f4428e6a714e77bcb620945700b09caedc304fd593bff2e3797759bcd0d002fff19773ef0da6c4eab8e8347bd6ea87fe7054ce58

C:\Users\Admin\Desktop\RemovePush.jpg

MD5 ace7218f32b4ccdebcdc64c45155e01a
SHA1 0bd112fc0b6d07e2f8bd37708bf61b523be6152a
SHA256 87ee4025f5d0ecd578ac1254bbabd0840bf652310d73aecdc63c98e87fd6fd7d
SHA512 13241a4bde7c16e5dbdae2c6164dace7c06a39ae1408a95c919071232e6af0fbce3accdde7b9c99fca86fae6be663b14bf00ca423be45e7748e37afee16f4571

C:\Users\Admin\AppData\Local\Temp\tmpEB2D.tmp.exe

MD5 177e2fad68f7e0fae44338c5664377a0
SHA1 bc8a4862fbe1466ae24af0b6a8e18d47de07dda8
SHA256 88067f605653bf03d058213fb40e708d325cc14f62609c7ba7404e6cbd94f9c9
SHA512 671838b6578c4cc0584589847c327b8aba0463d80e5ddbc1ff37791e54304eeb3645b405631e6bbb5709833ed4908e87a2c18e440b5a323e54c723a9ffd22f78

memory/2980-213-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EB5B.tmp\EB5C.tmp\EB5D.bat

MD5 7a5295d57ef4b05966f1d38e6ca27e3e
SHA1 2c4bf1d950942f774db103298bc8361a43e6a095
SHA256 864b0f302d3d30f02251779c64e23f02690b4e7e6195fdb126ede1d151b39d71
SHA512 95742bb8c4d39ba097294b51503ce65a20cf6ec42729cf516f942d6022279d712e3e9fad3c82e3178b0e9cbd7ef3def5f6067db090586cfc25e8f7d59f9c7722

C:\Users\Admin\AppData\Roaming\3.VBS

MD5 1b81a825ceef40641709eeeaaa887d62
SHA1 be892bbca92f1a7b6773ed27deea8d1525380cf4
SHA256 41502129e5d7553d45ceabd07cc7a9d117a354d8e2fce606334da685c7b7309b
SHA512 55ddda3bde1a53554d3d78c340bd36320adbe1cab8689017c804d2e0f1c5af1db5b809bab59b0d42338f3b1267628ef604af321baacc2fa56df949fbba03523e

C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

MD5 7050d5ae8acfbe560fa11073fef8185d
SHA1 5bc38e77ff06785fe0aec5a345c4ccd15752560e
SHA256 cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b
SHA512 a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

C:\Users\Admin\AppData\Roaming\gondofl.mp3

MD5 fd3b585c17c2080d8a3c53e477e9630e
SHA1 30c0b7544f96585b255787f9f5a52d7d1b16c076
SHA256 9836f57a03f9cbaa2b89eebe27f3018a5d3e745c2a11d73ad5c1cc8d562b8095
SHA512 dca5bfc6d596d256da840d654f84e229c0c7893d7686bb3d5b905fb707dce45c738eebe9d06689f00e44a97abcdc5de462cd5b5a43c01a2d966056652b030d42

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

MD5 0e807656bd86f2aef7ccf207f963973b
SHA1 27052af8d103d134369e356b793eb88ba873df55
SHA256 c509c498682bec50142782a51785655020bea27652f46e104e07a530c2ff5162
SHA512 e6c7d5e001e8322ccb1abd101d47e7f1401597518f45dd8da1d757728147262bcb3b1f96128f291e0e367c5b34026b401468e4219b27cf3c37a8d434180cd8f3

memory/2980-252-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Users\Admin\Desktop\RenameSuspend.js

MD5 e16ad49759f7c47db4a980fed3294e2e
SHA1 7121cd43613e6a5b6c4c98899ca29ea2db421e75
SHA256 2c079a234c3145a78af29ce7c923f85bc05122f4108e0537c2517678c0b13b77
SHA512 a2e27333d5814d73b23f7c9200743c381119842c056b33db41a0a058417f8f2629510ed640c2266f042b6549401a50a5a8dfd4c86df8fc9770d625f8066c7fba

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mk4n3hdk.default-release\datareporting\glean\pending_pings\17932154-99c5-4a68-9cf0-4dddca6f6060

MD5 5901f7df330eb83a11cad413a626f303
SHA1 8580372f5d9021520d04a4ab273a45607f77bc0c
SHA256 31b5a0f024047c14f66159fec505ddee903af6ce89204ba480121642817b7b47
SHA512 2f7cd8fb627424d1baef8a73d0e3d3bc3fd04a57f5f56d2f632d9be7ba7fabdb1f3fdeb9659c954ced6e1058c4830886bd0526d1ab5a855df6a8e7fe37d96b20

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mk4n3hdk.default-release\datareporting\glean\pending_pings\f650640e-e922-43cc-898c-ee48729a1028

MD5 2e188f3607619f24e7d523b16373c1d5
SHA1 c30fcdca1426d239539555e5314c196f317858b2
SHA256 572e5bed70a48dcea2249fde7e75134f4d6ceab436ef8f05869a290f08dc59e9
SHA512 27cd6d39b44a3afb38620de8d4782d74bcc7dc14fe9460d52df699ed4615eb75fad01c27cbc9732ef67589e9c99d7d64a552579f3b76786b52ffede1373e373b

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mk4n3hdk.default-release\datareporting\glean\db\data.safe.bin

MD5 aa622e27c7241e0e0d1a2a17e5cdbda3
SHA1 317e0030751473fcd16f92298807d9e74c9afbfd
SHA256 27301d6aa17f38d7e6f0b0218eeb6b96b3f23a663a75941d8cb2e1c47cb7cced
SHA512 057872355b1006ac6083f77e7ac8fde687d4d7e24015dd19d91db4bb2fb27806b3e847fd51f6bf75dc19ec6e3c2534bd5840112b94d22103032f7a14db56b808

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mk4n3hdk.default-release\prefs-1.js

MD5 36c85fc0f2607edfc66f4df1265c4242
SHA1 646c9eaf1ca7c0c58773b4f2c47e628bceedf0c1
SHA256 0ba13391e40b1403a87c17fd0c3641dc200525e9946eced29a0c5412d81d63b6
SHA512 1eb9dee19c17aec2c5a9080265571d3e8e921c7a49368f9d22ded4396bca3e3b2e7ed2a85090faff5851a82fa10e5f7c63a6732f711052badec58985251a00fd

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mk4n3hdk.default-release\sessionstore.jsonlz4

MD5 9d1c3d7cf27626b9f67de65d664cf8e9
SHA1 786aeee75f5fad7e02a7be242e3d8be34653745e
SHA256 ecb178b40bdd400822dfe893f78f7526de8f3b78eecad6db45b682fc5a99154c
SHA512 d51087042e2f52a28059fe1f5c854dc9207fb98bc2318246a78656d0f4313e035678bc34d817adf62e19051d6ea925bb542a6a6395bd7d0985c58e5fb9065b22

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mk4n3hdk.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 079ee2cccc4eee3b2e3011eec417e06d
SHA1 6653947f5a920193ed1b5a102374e9cdf8878654
SHA256 cbae6f3bd9a0fff08bcd5f56320fa737f0d120d5b180a7f5168818f6ca100a7a
SHA512 d22ba54e67070aa5679d5a0d90afabe930f2dc81ea661323797b3645e7f383dd62a58ffc91a94a270a73e964ebdd1119998e74564a61c6659db2928a041825c3

C:\Users\Admin\AppData\Local\Temp\tmp31B3.tmp.exe

MD5 aed31f4095c122292a392df17053819a
SHA1 c820c2da165965faddb5e29842e217748f51c3b2
SHA256 80c54c67029154dd9364c7017e3700b9382a49f352d4b813ece3ec3a3498908a
SHA512 180498cc26ed82d2995d94d162ba293cb338b50beec3b0f4148635692eaff64058c78a3ebeec38ca25ea2b603890002346a73961babd9087a726efa30361b378

memory/4552-411-0x0000000000200000-0x000000000022E000-memory.dmp

memory/4552-413-0x0000000005000000-0x00000000054FE000-memory.dmp

memory/4552-412-0x0000000070350000-0x0000000070A3E000-memory.dmp

memory/4552-414-0x0000000004B00000-0x0000000004B92000-memory.dmp

memory/4552-415-0x0000000004D70000-0x0000000004D80000-memory.dmp

memory/4552-416-0x0000000004BE0000-0x0000000004BEA000-memory.dmp

memory/4552-417-0x0000000004D70000-0x0000000004D80000-memory.dmp

memory/4552-419-0x0000000070350000-0x0000000070A3E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp7C93.tmp.exe

MD5 85bf070dca69f91f449461f2873303ed
SHA1 021f31036c695000bd65b0415b70b109c7f3b7ee
SHA256 b192b7dab08cad1ccd50ab63f0618f63a6570e90eb21a67c3032d5886ebf79d2
SHA512 54ea31b10dfcbfcb4fe8653818653a8b15f262ba02e524a9047791ccb4a28400bd53b50c8673b24d03d7542285ced0b83e85c9e4d7f8e57ad67df266f049ff43

C:\Users\Admin\AppData\Local\Temp\tmp7C93.tmp.exe

MD5 646f0f6273ef6e85a1a1f764f5676f3b
SHA1 4856b7f21ed1897dd28794ef290803d998537f00
SHA256 ddd0f3b4373552ea6d75708dc450dbbca105b9275e69828cf1f276feebdd179a
SHA512 50005badc2d6f7dc2f601bf15b4ae93f13ad3e14ee9b774dc685a0255a2b878d5fe485be11a111fdead6345b69731d5a9b490cb0f3608bd9ebf70d2f1691e5d8

memory/696-425-0x00007FFB4CA60000-0x00007FFB4D44C000-memory.dmp

memory/696-426-0x0000000000BC0000-0x0000000001F84000-memory.dmp

memory/696-427-0x0000000004090000-0x00000000040A0000-memory.dmp

C:\startup.exe

MD5 12b162b0c010fcc23fa43b03cbb76509
SHA1 a696c6b6d5c0216b3eddf8dd4eb2a269abe19d00
SHA256 6be68911f16ec9283da61ce222d946c9e8e5ea39d71ad9d23216b4961947d180
SHA512 f983d2a19c18574cd09c1be30f44a6c8b586bfc74341367f6dfab26a6c7440f73e7ba252e66d1ed5fa6af5a78dd3f69de3909a369fe08ad78ca1e539eaa036c4

C:\backg.jpg

MD5 aa8212e3f48d35711f219cd9bf1265ab
SHA1 a3b17cc5311f23cc2db204f5b7081cd7d170094d
SHA256 ddc65eb885e5f89406a0b9ec5d23b0bf041ef9c15b689ddf6b855c9a62132200
SHA512 1d15ea1e09dae7d5c2b507f26dff3c052888deb7e5f8d17f5baac1c76a15cc2b0f11b470d855213ba17c03b32856e921b36c8acc6a32e9ff1ab9c04dc4ccf261

memory/1376-575-0x00000000027C0000-0x00000000027C1000-memory.dmp

memory/2956-581-0x000001B91D470000-0x000001B91D490000-memory.dmp

memory/2956-584-0x000001B91D5F0000-0x000001B91D610000-memory.dmp

memory/696-622-0x00007FFB4CA60000-0x00007FFB4D44C000-memory.dmp

memory/696-623-0x0000000004090000-0x00000000040A0000-memory.dmp

C:\rock_eyebrow_icon.ico

MD5 56afb11ebd7367af4c03b065ef3580f3
SHA1 4f30fbf3d5c0469533c1b33b98aa612e6704c14b
SHA256 da6e60fa7d074a5b8a90e3ebe53ed1c01661423ec0ec1ff154857bcef14ecff7
SHA512 eef0e1be7dfde83f546d36f41a6339ce17d5c7153da3f3d003838c333884458697b2d156abf9c119f4786d4d53f08563b79d17c0c3e316dabfa519db145e32c4

C:\dad_icon.ico

MD5 8883262af502c220932bbc50979391ca
SHA1 0be9ff95e86e798493f5f067a6dd3ddec9ed6832
SHA256 f500586d27d938ebfc965c59cdc42e361b78bc41246d52a075bc278271c96fc6
SHA512 ca78bd4cbf199ac1ec91058e48f357b3dae908a5bc06eba132ad9e143d5791d11e04462a96bf836999dd412ff0d9f37d06243c8b944f84ec354a3fb223b1d076

C:\walt_icon.ico

MD5 fa516d1d0fce7db4dfa81e73cf74e917
SHA1 ecbb4b0ab88b6c7574279693bda9a7cfd0a2d9c0
SHA256 335b92e10ea035e1061ab8d44d02472d2db80a838eae63900b9d02ab9483c4af
SHA512 f9adda2c53121fbe6a0c42582f2af6d19dc8225f9422a2163210153bd5bc458cd4fadb1d97085fadc658b45557ddc3650ca96d68764241a153c70b68569dec8f

C:\ustupid_icon.ico

MD5 6e3e6e1a0f01c0168c7b1fcb4e63a89d
SHA1 785688b7caa8f28583e417a651517b721405d835
SHA256 b856abc28d3d026fbe327376bbd72f7a169012bc987d59dc9fe600e9714ff634
SHA512 d2038420bb997ff0d97561ff8b167822de36fa1f924962abed0f29b3c8b2ef7bf9a9f52311738d498b894cfd7d488ee0a1741150e45782e555028483bb1ecc99

C:\the_wok_icon.ico

MD5 8e1462f2d993e1bd6fd00268623abece
SHA1 67367e20f64d32ab8d1840dedd91d686ac989952
SHA256 ac084f24272a89b616e21add98739a7c4dc55830e6c7ac8fff74a9d495eef4c5
SHA512 9184a8a87c2b5ec222df4d51a940977b2ec784c634ca66e5d11a46d35ef1a38162b6e1090e1df364eaef3fc1313a39a989a803c2ace603e90fb4473ec9105ace

C:\speedrunner_icon.ico

MD5 a0bd05bdf6641d55fff217fc45b6e7a4
SHA1 9c4f824bda8ec17d0c23fbe50cd8f6c55d5784e3
SHA256 c34b87c2f0454d80f7b1989e80eb5b6ca04052c16f94ce294f15a0053cc76ce2
SHA512 bdecd28c096925852936f0aa96a406596a3d60bbff51ac1e12d9241f4c7552630bf12aeb73cfed8cf8afc916cad90d4e6d23e5eafea6e14f73b73ced4992bad3

C:\theme.wav

MD5 e4f642067670a4001d31ffb18f481f96
SHA1 538336f1beed8f74a0913454265cbcce4822c4e4
SHA256 5b41d14436cdd8e5467be6a1705daa108c428176c9fa4f9c74bd88cd4b703960
SHA512 5b7e27540c1bcd579d633597de005b7cb6a91f2dc8a6849c23b16a1fcc942688cd59ef0b0422a2832a2c84b6517e9debd87c5a1e9a57521837dc1c18ffe4a59c

C:\Users\Admin\AppData\Local\Temp\tmp1104.tmp.exe

MD5 80c506da3df5e4580c06c48162bccbea
SHA1 43fbccf50f91cd8e1190869b0edc96d920519c14
SHA256 5699b2e12f78b7eeca0633c6a5a93effe7187565eccd7668acccf93c61ab7acb
SHA512 f4a424bf758bb48da944701397ac1e82bb72a15ea4e8818535f2e52199d37e9caf4361303fee4bd9d6db528e1c0171d1612aebc5f636ca9c4ee4fd795432b8c5

memory/4392-667-0x00007FFB4CA60000-0x00007FFB4D44C000-memory.dmp

memory/4392-668-0x000000001CD80000-0x000000001CD90000-memory.dmp

C:\whenimpostaissus_icon.ico

MD5 57a21de76111fd67dd32bbf5b8cbbe8f
SHA1 127d6c20da0234ac8bc9dd65391fcfd695185274
SHA256 8a5f22591d81c5ce727cab12fa380c3331fd9a3118a69667bd21b8ed9d6bb96f
SHA512 4177b17475c7dff84fa577077d844e27af7d8dafba7f6beacc1b45174d4df2ae88f242529dfbd5f6e5b80bbc5ceb949ba0fcd2c3c7065dcf32226b0e9da85629

C:\obama_icon.ico

MD5 f89f675153effeea979e32716d1dcac8
SHA1 84780277f79505ccf920d13391726741e127a79d
SHA256 99232a1b8d11825ccdc89ad8a9e095c6a1c36731836c17207ec5f45cfc0270f7
SHA512 8c447c5a226a127cb671eac033bc7db370a5dd47aeed7e46fcbd112684bcbff300827292c8bd87aee6f21bff887c4c04b7620b3bc22a3b6bd3b6843678083fff

C:\guy_icon.ico

MD5 caf2b6d49aae9303b222fdd06b91f10a
SHA1 12b967bd3aafa465c228551a7cb2d70f8b9f972e
SHA256 2b670bfb2029e8f023f13180780c648f606bb91fd5854e45e08c27bad2f4e1b8
SHA512 0eb51b3e222c4843fb3d79bddfd04faf41135845f1d20a320be84f076289be9890624cb34b73bf4093b2ddbb8d48ff409deeec5aaf3b10216204a24da4c2f92d

C:\amogus_icon.ico

MD5 43042269818924374a29891d79cb676b
SHA1 f34ef8a688e15efa9c0117816a617892a2730bb8
SHA256 77aa5f8536b9c30133f8083712b2d5434123d31a6ed41f0680fce52e06144187
SHA512 09cefcf48c1ebd4d5593d6d4f6973ff39330d23cf606da54bf79eeecd355842c675bd530b4e43d19b3dcc3fa6f4539d5d161ca423347197d6b319c17abab0e31

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS2.jpg

MD5 cca27415b786d200913522217acf8522
SHA1 be4cb7f3d444f6a715a6868243810181fb1eb1de
SHA256 2f18ae84098647ccba038f6a3da82b03b1b43e1f035f4a6d583c63f10d0a40c7
SHA512 b9ead104aaac9da740cbd333fa7afc68148db77cfb56645d5793f91ce4e61d7e42a0f720698eb706efd2a8ee97b7189b8bbe26f6cb3a2470c2a5fdd88af4c3d7

C:\ben_icon.ico

MD5 35ed09899d21d2f9806e5c4eb1411324
SHA1 5afa7972868a84f4e49d65f149aa09dda07870d2
SHA256 66775b29fdbd36e7ea15b038224a12271fe84b0e1129b11dec008af1dec986b3
SHA512 625d060ab49f371a9416315f85f6c01874cc19bfd5a4fb9b0a84287f1af0411695623e4176e62afa6623b16339b4c603f6a2179fe00ef505fdcd97e2b36cf820

C:\skream_icon.ico

MD5 21a8888b16b257c094fd38d09612fc48
SHA1 9ce7e89da63c663987c9624a845144a4fecc3e72
SHA256 e1e71925f5169df514d0c196f41fe91ae1419426ed28422aea78ab85b4dafbc4
SHA512 cc554f7180b8f79de7ee6278b19fe8a4331ab9caa5cd980caf66eeed973a3577b56dfb57e4c0797d7987ce55ff8ab305a9a51b27568ae0fb9414498d3c494af2

C:\xina_icon.ico

MD5 0f111a8457f17592240624b2e80a6c61
SHA1 23b009e988c3a95d9e8ac97e9baf2979dda3211d
SHA256 8d49d92735d094885cbb57a63988e6205b5a477f2a571aff2f1e8d295f3d8e2f
SHA512 4e14e5e9c834723a23d3982fa2c5223eb0ac09403bc5cde638733c2a96dc28f820f76b6614e444b5a2aef3fb9f53c6e8f1fffd265ae7bb0af0c372aa7f548bfe

memory/4392-741-0x00007FFB4CA60000-0x00007FFB4D44C000-memory.dmp

memory/4392-742-0x000000001CD80000-0x000000001CD90000-memory.dmp

memory/4392-780-0x00007FFB4CA60000-0x00007FFB4D44C000-memory.dmp

C:\xina1_icon.ico

MD5 ea930fd90cdcf6d31a2ec4c1559b41f9
SHA1 498db95c46ed784d6c6b83b6ad30184ceb7f80f0
SHA256 aba2367393eab39caa359b90c62ac0231e7af228070c50496a984be89bba4f3e
SHA512 726bf8c578a9019ac025c2fc021cdf7c111597d182720d62c48be9ea4fb3c8f4da777ff2305695a27d0db61c3af9da48e99ada694eab71df9fec459c50a00656

C:\xina2_icon.ico

MD5 d129b378192f4f70d831fb7034d7992f
SHA1 c782ed401d9a33644568dd3d4c78b49ec3d9a4a0
SHA256 3d41e7d8040bc0c91f371f88dbbd7eee29e7c8408d2de331636096f81cc57b4d
SHA512 b31d3191ad62011d53f77e789333f3669b515172aa30f914ca116af0b8b6949a031b002aa391637fdd7ab9a63a5b0dd5ce37dd691766f3d896ff570dcf23b2a7

C:\xina3_icon.ico

MD5 37cf805ea6e33432e8bcd4e028938faf
SHA1 c0ea05823441d9115a2f079346efff5ad2967930
SHA256 c638d0fedabee0972e593ef24aacb2bc86ddcb6a3357d0ddc2228e76d73051bf
SHA512 091bd6d4e0f5707df74a461657b513cf7c61b94e780b80f8f93fb000b0e29b7f59c08a35964d4dbee005e7bd9d3c9be5a69a2486996e3a9f09a3d3784d424a4f

C:\xina4_icon.ico

MD5 5e3393e772f5aad126c10b86b8b59c62
SHA1 ac70b3a5ce29c2d432263a11a4f157fa53222c23
SHA256 049e8a377ff04c64b0e804d14a96f1469bfdf60c6b38d807d8b1af5b293221ef
SHA512 3903acb567fdfd0abff26dcbd4c7c9ebfe569569b1af78283beedd7c2343baa3e3fe19a2e851e43b7313017624435ce814dc839f79c67d3c7ee528b3c71666a7

C:\xina5_icon.ico

MD5 ef185b61dfa8298a39bd12bc5b5ad56e
SHA1 3401678e4ebf8a78c664994e864a18cde058c20f
SHA256 ff3838388c2ed572a4d2ce6b8b6d77490bc56bab33ccf8c586bac27d2df83b68
SHA512 e7fa3e4f302801e617442764a28b7f7a24a394319903a411f40d6da31d03b7530a8160193010ef868c90f9259d44085d113b73fc09a0e72c5a1f9f990d87e7bf

C:\xina6_icon.ico

MD5 fc5f065a5e8ede646d1595c50f9253f8
SHA1 5c9a10baa223eca0ca3005b760b21f9dfe656e94
SHA256 90a1510f938da7440b9b0d2f82428885684761898d4f76575b1c2fbdfc245d92
SHA512 49a96c244bacdf8b5dde05f3b57c18d2f83a53f3f82bf32f6c8026d890e047f6b11d0d7d9357e8d6f509acbaa5fa37d5aab72c26e58f46c99885f272a747f544

C:\xina7_icon.ico

MD5 cb099d15874bc078218294749eb7b6bd
SHA1 27647365028ef3fe8df37d9341595501c5748b9b
SHA256 2efb6ed0f26f8a561014536a1eb846cd4467d830998f6bf2c89f5dbd4a87f1f3
SHA512 c350bd8959004da8cf76a4d79a25629c4e38ad57e22230a29c339685c076cfc0044cc241dc206016183549ac66da685a3d673938f0af6c69f40c0bb6ee5fbc2e

C:\xina8_icon.ico

MD5 337dc66064bf405d08a2c9c2f8b80ee1
SHA1 34e79eaf97bc9274222df62331ed464b06c26deb
SHA256 0bcb24229a3ca5ab524b3241e79d71d0b190994b77d4c420985e8f89b9557774
SHA512 61616a7d4e29c9a47b8f0f6c3a21e68b51ee2a185a2e0e6d3f7933a932305a246091c9ae757aa4d49601f2631e3cb5c62618a1e2a2932b957b9b279d019db337

C:\xina9_icon.ico

MD5 c7e83c267bc0e3238163b11a968d59d0
SHA1 180d269f95d88ab98c4abfaf5024119ab22f5424
SHA256 939f8ad378a8372438fdea72adb3f56cf4ecf3ab3d517efdbf5588c3a34be3dd
SHA512 054593312a083ae7f86b6aaa18ec206193b08368a8166f09815056ed339d1370ed0f03500fd39ad45bcba7a4a450b819415e695ff0a8cbca6db2a5999f9bb741

C:\xina10_icon.ico

MD5 312462041a762b3ca42e106dd23c77ef
SHA1 199e0d9650f70bc9d4aceb95da7d7200668dddde
SHA256 df0e53d5be9ecf641313960c107ab41bce93c8cf4849d006077e33a424cb15c5
SHA512 4d57c6b4659ededbecb127a9676f6cc64644cc270e33ceabe469e84c2a1b38981134aafb8f1d1e53cd0d6cc1f22f08fa3bd7e8568e8f1d907efd4bd07b51f790

C:\xina11_icon.ico

MD5 a6a4e4e3398f437cd4d431d85e9d54a8
SHA1 4afca6d917412205203b9498fd1fde26a926b7af
SHA256 03f9584495fef61a2f54a0f0cc469f26f25f35394be48b5d954d449ca37bc784
SHA512 2ef129c544c12373b8eb06160450ec4c925d2b3075d1f7925859c4a0f184911dda59b6687944b7fc086276b3966e1111535e4e859b3f3715078e1e68dfe6ac2b

C:\xina12_icon.ico

MD5 813e47eaed5990689d0d53815c68d29f
SHA1 a20cf1de1b653e7267c5dd134db2207fb1150e3d
SHA256 710b492db43e192fdf281d9d5ae58a06500b506694ce4685c64d413188c4b245
SHA512 9aa5898a1e6942e41d7cf2ccb9dfb96a0b12c4d148d24a9ec8b9f5bf608bdc0312fdfd97c779a73ea81dcb9ce7df06941efd2a0841b2afc6b439528ec0f84fa5

C:\xina13_icon.ico

MD5 fafd6d2d4a64f53220994bd4bbb9de94
SHA1 05d90ef5327c3ec114d0a36cb29927ca4796e5b7
SHA256 a8cac8b5521a9ff85faa0999ed21af3669c57a9cf51eb14760c001305c44c195
SHA512 64cc77861e5a3679cf2f323ecd673805aa6df266e720d4e889ca283017201d25f194767b7c36aaeeb4a4eebe062d2597fc3e13f1b7e6054b4707ee74178df232

C:\xina14_icon.ico

MD5 398df692cd2ec1bb7920ea5449d965a1
SHA1 d4fb9dc4e31cb5ec3ca4e2dd2223a0d4bc4256ec
SHA256 76fe950ef1408b93f1a13a7197cd3221d8eb6f6660ccf9aaec3bf94f8b9ef703
SHA512 2156c194183d961a06daeca442fe8da4808f2065e8936f4fee10f487784721c0976a69e39a466f1bc1a0c31e082025774a391bbad2138cab638bce4153ca7201

C:\xina15_icon.ico

MD5 b28cdde3e6551f820fbf4d1ae4da6677
SHA1 8e1fbc56e308b24dca374eb5debc9e9bdd5f6135
SHA256 dc1a15e29698e60ac326185e619eb875e869ea3d01746ac0701d11a2716f6b85
SHA512 21bab2e588190151a380d0663f0d8f307c95805af7197bb2adf6019bf28eb3cf57d9e7f621395a7f23ca847811e5a9fd316bc45fa3208c71832966c4127b8cc6

C:\xina16_icon.ico

MD5 66bd198bf0cfca918c45067bdbc354ea
SHA1 04d7bda4cd83a7d1e950a8da7f409eea72033578
SHA256 06f24e06f12ce66cb87a29d7eac67befb737ee1400f11071d4ca83ecb5c78dfc
SHA512 d2d775f19e5cd72671c739d03b6bed554dcc517f93bb83cba7bbe54fc3408cb8d177bb237620894f0cb45117bd902b6e39a7ce3f630f21c8c45b08d2280306c7

C:\xina17_icon.ico

MD5 9225599ab65c613124185b2529989cd5
SHA1 94cf9fdd8808ddc34d8c552a5fd52dd3bd6b4043
SHA256 e64658b6ee5ee61b29cbf79812b1f6cc45367eeb2cbe9da9fa5f1e63979644e8
SHA512 b535e4bf42d1bfe8d0280a694e8663fdfda224b030a80f0ccf0568009e1476cc062c3e88f9e3a3c31b62e5156504570fc17f1466acc234e83cf1f3628ac999b1

C:\xina18_icon.ico

MD5 3807d3a5a2f9fb626c97e048e3b64b1e
SHA1 1b14e6ef507551e72370b03a876e9534b0da3883
SHA256 5d99c8bc9f302d87e86addeebe013c34ca4305f3c9752fd92e979ac6d97aca34
SHA512 fd5ee94044f25dd20495dc3bae17ba89257211be6ca36df224813d7a71afe8270df7e8a74d11655dc6ab1397b5ceab3e56bfeac149a09d3015f10d4b50755164

C:\xina19_icon.ico

MD5 f6ecf41acb43f283021fa952e762b9e4
SHA1 cdd89bee571630d93ceb186ec5dbef3fc28d0019
SHA256 9962141bc3e2a1936bffa25de1e8ad85aa630d4a9770f90e9900534784683be2
SHA512 af637de1c505023a03e2fce65847fbb596a3c7dc6789f636dfc78b185b583e801274fc00f63c12e531a6eefb505a0c2bb29222a133a4f0d08a1eafa3be17acde

C:\xina20_icon.ico

MD5 0e027d0c11f6adfa7aaf640ef5cbb83c
SHA1 b9d69ff6f1ea832de0c713fd2011a1d588cc1d6f
SHA256 93bd144b21f021708564d17a127b241b6236ec7922cc772a78bbdfa9b0fd8ee4
SHA512 77c242c76e6f3aaea9df664ccfa280af6c4931adad908a069073d35cbbf521f5650a0135239f6f831049a5d13ebab595169f27eb9f847a952f8a47a18e092d7c

C:\xina21_icon.ico

MD5 0c12f084e52be0801c90d48ebaaa9c4b
SHA1 8954a0a34e1344e0ef0a8920c9935dedd1eb4dec
SHA256 b1b86e511ff375352a46b9b6fc8f3a7a20c55b7516dd1dd9d5af38adb7f527e9
SHA512 01b8f27eb18a77a7be9a1b910b93c16afcfda1e0c371463619dc6562bfc469af34d152282bde6fd4c14fc191c6b7cf1877d8607e257489498ba1c96f68c52e2c

C:\xina22_icon.ico

MD5 adb1b10c27228fd7a59a50a5839ee6bb
SHA1 579e67dca36773986fcebdd955f86cb6d47a7164
SHA256 4e876b157be27295d52d754db4367a05e2bd10550006355fef27542de0603c1d
SHA512 a2efeda33021d205b11cfce73b9897e82571f42596438020786dc58abcb0e42287ac3730f5f57fe92249f5b8fc8cf74f391fab5ba25004ee84b3741be4849499

C:\xina23_icon.ico

MD5 cf293a4f73d67d90b43d6fe2fc707e0d
SHA1 c779c8794392ac1d907170999a15d8a7440e85c0
SHA256 d2767668d76008045bb9ac633f6ae30daba499cdd4c803030b3f4119169220f6
SHA512 cd2dbe59f40101d36bcf9b2da70ed8f03e66e5c57386be68bc929e1fd05ef2b806afae135ec703e960bc159400cb402d409e7745f7b348ff47fb24861267dea2

C:\Users\Admin\AppData\Local\Temp\tmp3FD1.tmp.exe

MD5 266f2ade98624dd038c72ca75aab95bf
SHA1 11de8d657da0e1e657a25f261213ee2aa06734dc
SHA256 5cef8ee55e909df6cab616fb567a9cc3926264111f8a20ca0e861063526ecce5
SHA512 b152acb87ad6832b71508fd9208b4744912bd91ad0eb887f130009b6498948cad5402111a36b4f86ca2660b7449ed24528de8006f27cb8b0f339072de0a82a78

C:\Users\Admin\AppData\Local\Temp\tmp3FD1.tmp.exe

MD5 42da1c1135043b6a32894aa00c8e6282
SHA1 f639626ae2212a776c08b98ded056a40eef33be5
SHA256 3e838775f2280c4918c2697dac8fbffaa9e4570585881d12670e18cea7430288
SHA512 a4a6b1645acc95992218348d75d362559bbe9eaf7c3b4bcef63f9cd709b9227518ec55f2af6e11ad1fcb6d39c4fd088b8f0bc847cb4603b9970bfc11c01fbd63

memory/3480-1578-0x0000000000400000-0x0000000000A31000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Ention.exe

MD5 fcaaf9fd6cda7cbd4091388c8ce99fc3
SHA1 93bac8eddc1911a3180ec5ef95fc3a79526258af
SHA256 a6c4646da6122ed4550a9c73574a77a420d0c3b7b2853820396c51e63a34a737
SHA512 dbdc5cd9befd68672b6f5a52463a329c9eaffabf7716fc568382eed8df84a5e0953de387b391ab67fe227793933d8bbb24f9ab6374359b9ca85933955e806b87

C:\Users\Admin\AppData\Local\Temp\Locker.exe

MD5 46c15326ea3857320796b03e296b55bf
SHA1 722db03c617f844b84c45dc03f355da68832e423
SHA256 a6cd55b00b82ee3385f245dd6927772ca04f71d7d6c9a89397383bfe0f76febd
SHA512 1282d91617ccff84b49eab800144ddcf97ecbbcabf851275d4b6ea57fca47931b89eaa2a15f33e967e05b2d0b795d5c24ea72b0c26e466fe47f542cf7f7b0f7d

C:\Users\Admin\AppData\Local\Temp\Locker.exe

MD5 730b285fcab9e090fbd3fd85ab260446
SHA1 2a872dca86213a1b1da1ad26fd738a4798ff4950
SHA256 d6785fc1554020188a45f3495d40692c6efd0318da0dd045c887577e7c99f22b
SHA512 b1fbce2c1faa256d74a976ad1ee48e912300adb7c9f51a56502dfbb158759ccac652e2a66820d9e1db4f3b1769dc446b5494f4d77be3ffc41021f99f8527db7f

C:\Users\Admin\AppData\Local\Temp\Ention.exe

MD5 6b4187a73d737dd056bd8a34e8c04838
SHA1 a97640436b82af4aa1967be6869d491b2dd774af
SHA256 7926197264900db7ccc6b779c708bd48fb65cf0e88e0fafc930c01d14d22ce65
SHA512 324b2f32911ef73a095c0cd73532c86440ef701e928bb67cbd0a3ed5ae85f463082e4505715b1130ade6d5160a49269673d7512ebbf94c7d23519afc973fd3a9

memory/3180-1593-0x0000000000400000-0x000000000075A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Новый текстовый документ.txt

MD5 e7cf6700045181cb6889772d0d915586
SHA1 ec2478210baee9d7e7ac72d43b66ce642ffc4147
SHA256 3f93a8b1cdb1a748236e3d4230bd856abefa8d3660b691de89c5fc4e249a0fed
SHA512 79f764665cabbba8cf707b6af065c92c3a91ee8f393c6bfe121db64e8fc446aef39bbd8d47efea20c948d907454bde6b1deefba3ef3fb847ec3452bf136a3352

C:\Users\Admin\AppData\Local\Temp\aut425C.tmp

MD5 7c30424c525cb64760083e066ca1f77d
SHA1 69c369028e3db4fe5c2fbc69cbd837d66496c480
SHA256 b75685e5fe51601632066ae2cb162738b340c9873f3b30cd4eb0b6f80cc27643
SHA512 59d726222ffc846ada2e7c6d040e0f0114e2cb92e72f81f23489aa6681b07a1c8cfceb7e81f9b7d7678d33b313302d9cf39c345d862e43f2768e145df14ef8df

C:\hell_no.wav

MD5 22aa4efefa11404c5656516f4f257a59
SHA1 2b7476f4fc38d51303dc78dcdef4577ea59efa09
SHA256 88f4e80980753871fe322f8dda83e72900cca29961efdf25bd119b259a57d05e
SHA512 167d77f6f5aeb19fc98b6dc969f8ea91906aa23f5771b3f764884a685acbea5fa545486e72daf79decfa86265e6718a0d5e95c6f9c01bbc14a5c6b7c0ad2380f

C:\omg.wav

MD5 4f0ad7516cd72bc8e78452edbfb7675b
SHA1 fdaf974becd0d3d66eb580df0e4beaf048ef22b4
SHA256 654700adddf4f3b7f18f08d3d7ba2df035a026fd38b86f700b950d4ce4cc0cfe
SHA512 d973a212cb46199bfbb938edd724e187f52d273eb92f0f32390f6b8c269886d55a2009545a3b46d456eb8a42f1c76e4956bfde803898d053e2164aa58a92f584

C:\avocado_icon.ico

MD5 6d362a3e515cc18d537f74fca1f75293
SHA1 99a5b363ac274e027530fa7a532a007b0e6c56f3
SHA256 c87dc1a91720070afe96d3be716d6203540da4d08e9d2339967a8a2a6a521d42
SHA512 896ac439ff7ff58b33413fd978bee25afffd9f4b2a8183ad63db861b92c7118bad0b845ccd85390c8b8a76ba57f6a6fb7d0ad3970bdb0a28fb9f2ed718979821

C:\Users\Admin\AppData\Local\Temp\tmp4DAD.tmp.mp4

MD5 e8653029eedb0e8e72a610d15c77907c
SHA1 1eb9f618ef3d2f2711e166721d3f5047313073e5
SHA256 9c066096d1c6c277bb85c2c1e2f1371a964ff544b8187658cd35a79544f30c1b
SHA512 6665da01a2b1923c0064856f60d99114dfe266a2660cd749da195d19b42b8e2e2c93232b548029e725b09d5657bb6c3a609b806086d522751e185f3925ddb915

C:\rock.wav

MD5 2483ba5ed0b989e311c585760c624055
SHA1 e4a793b783beb97a94d04c2e2795f02aced64d14
SHA256 651ab26c519b7a0ac97e0adc3c452efbc9233f695f5ae0bb70d42d5b3e37cac5
SHA512 a37554d540383958614fbd898dd7435476480b4c7aa83b9191f626567c1835f338ec35c4799fa544d9cc0bc2aa7b2139ec929f26bffb4fc0424c10c09b8a72b1

C:\amogus.wav

MD5 c30df0f1ba8d92eccb020946a107c7fe
SHA1 fe95d0b0246a4ecc25fc89ee7102647e12c1dcb5
SHA256 3d6d12cadb2ef6fe5b2a03d15964512bc32895e338c2da25ae2cb07bcb31deae
SHA512 624aebee4d918c8eed1716d17829a36104eb5aeb2d23be021e61f9d8e59a6aeb7215c14365ac081fa2f820e561aa108be25640d1634983dff7ca8ebd4dbd6a45

C:\bom.wav

MD5 1c782f17124b6eea9619acc46fc165a4
SHA1 aa22fe4a52723cf2ec83af3b478531c83ac1c589
SHA256 9f1c04f4d37d995f9f6cdb7751be399468c275f91c35f30bdb45ff9ff31190eb
SHA512 2b63129054cffd9037963f9e42c46c489e697f81109f8465c9cf3915894f143ffa444e9fb1bef195111ea915f36b51f08246b5ddc7ae5763d056bd0c8b0a7921

C:\bass_imposta_sound.wav

MD5 f6d67bd69fe398b2c5238fa4c9d6455a
SHA1 a8c7dfb2cd54dd46f2eb1e2fe6a19bdf40c47e44
SHA256 3ad823c535650fcba2de953fb2ce6fc46afeb04e529494e6b60b788cb28ddc32
SHA512 63e0e262338850ffe35929af320d17eb850efa046f860ca4fdb93518dbeeb2fe9ab3d4d13305c6d1f5c9fe78b42615ac0794d160b66fad5e3a30309dfed117e8

C:\ustupid.wav

MD5 afc635b14cc1d36ce347aa3ad423bcde
SHA1 306b78de47455914a0550229035516b951e638c5
SHA256 80d9439a20f9f0b09bfb6b7b71a84bd9875c2363141b323522ab0473df90c0b5
SHA512 ce4b43b1b876b741d312a045fede59c4b1287f084a4fd0a1929aa8e6da3820450f25ae9436d48885e30908201e6a82cd3ad7e8e9d92b16aa68aa1e0b37366d40

C:\fnaf.wav

MD5 a91d1592b7e50f377e7d173951c58178
SHA1 ba8c41495c9209b17b2538bc991a537f3493ebb1
SHA256 65c3102f1a750db1921c3c28064f94f1b53aec88852b874810cefc6a74f402c4
SHA512 8cac33c4b2964fd87ce396e519a894c6674f123e4c2f3642e358dba59ab64a17c110aa74363fca1436fc325f0a986ffdfe94c161fdeae30e425648576a8be1db

C:\sussybaka.wav

MD5 8853da13437c21bd8c8b131dacd73d4f
SHA1 844f143af3aab36ce1cee355eb7e7c5a4ba67f4a
SHA256 7616c3dc3ef9a7a6d08a54a5e955b33f001647f0821c29b92b022c044226e480
SHA512 31a3989fddbffbb8e6979bf3e855eb13ba97146cc1cee4ab6f939cf002e0a2e698a12383f0f2a8d3d6aab437da9bac7e641189565a7ced1d2c5ae1a8f149cf30

C:\fart.wav

MD5 e87a6a5fe2591cb8c7a88c0bd4cc8d3c
SHA1 75c4ca221b2f4782709f16230059bf8413de13b9
SHA256 840bbecc0e95ca503740df9ac0ac944303c4a4c5f163a3eb4d4aea329629371c
SHA512 2fce9c3827b0d16828175f8ac86029f615614ad0f147c95842113824d8177e2919cd0e09d67b9723396d259dea99e3b465b7a83972a8f1d344925cd8c14f0605

memory/4964-2106-0x00007FF65CAD0000-0x00007FF65CBC8000-memory.dmp

memory/4964-2107-0x00007FFB63AA0000-0x00007FFB63AD4000-memory.dmp

memory/4964-2108-0x00007FFB62A00000-0x00007FFB62CB4000-memory.dmp

memory/4964-2110-0x00007FFB65480000-0x00007FFB65498000-memory.dmp

memory/4964-2112-0x00007FFB63620000-0x00007FFB63631000-memory.dmp

memory/4964-2113-0x00007FFB63600000-0x00007FFB63617000-memory.dmp

memory/4964-2117-0x00007FFB62800000-0x00007FFB62A00000-memory.dmp

memory/4964-2116-0x00007FFB63590000-0x00007FFB635A1000-memory.dmp

memory/4964-2115-0x00007FFB635B0000-0x00007FFB635CD000-memory.dmp

memory/4964-2114-0x00007FFB635E0000-0x00007FFB635F1000-memory.dmp

memory/4964-2111-0x00007FFB63A50000-0x00007FFB63A67000-memory.dmp

memory/4964-2123-0x00007FFB63550000-0x00007FFB6358F000-memory.dmp

memory/4964-2124-0x00007FFB63520000-0x00007FFB63541000-memory.dmp

memory/4964-2138-0x00007FFB62620000-0x00007FFB62798000-memory.dmp

memory/4964-2137-0x00007FFB627A0000-0x00007FFB627F6000-memory.dmp

memory/4964-2139-0x00007FFB632F0000-0x00007FFB63307000-memory.dmp

memory/4964-2145-0x00007FFB61EB0000-0x00007FFB6201B000-memory.dmp

memory/4964-2147-0x00007FFB60350000-0x00007FFB6059B000-memory.dmp

memory/4964-2146-0x00007FFB62250000-0x00007FFB622A7000-memory.dmp

memory/4964-2144-0x00007FFB62560000-0x00007FFB625AC000-memory.dmp

memory/4964-2143-0x00007FFB625B0000-0x00007FFB625F2000-memory.dmp

memory/4964-2141-0x00007FFB62600000-0x00007FFB62612000-memory.dmp

memory/4964-2160-0x00007FFB61E10000-0x00007FFB61E85000-memory.dmp

memory/4964-2158-0x00007FFB61E90000-0x00007FFB61EA6000-memory.dmp

memory/4964-2161-0x00007FFB60090000-0x00007FFB600F2000-memory.dmp

memory/4964-2157-0x00007FFB62230000-0x00007FFB62241000-memory.dmp

memory/4964-2163-0x00007FFB60020000-0x00007FFB6008D000-memory.dmp

memory/4964-2169-0x00007FFB5FD70000-0x00007FFB5FD81000-memory.dmp

memory/4964-2171-0x00007FFB5FD50000-0x00007FFB5FD62000-memory.dmp

memory/4964-2176-0x00007FFB5FCE0000-0x00007FFB5FCF3000-memory.dmp

memory/4964-2175-0x00007FFB5FD00000-0x00007FFB5FD23000-memory.dmp

memory/4964-2177-0x00007FFB569F0000-0x00007FFB56AE4000-memory.dmp

memory/4964-2174-0x00007FFB5FD30000-0x00007FFB5FD45000-memory.dmp

memory/4964-2172-0x00007FFB57950000-0x00007FFB57ACA000-memory.dmp

memory/4964-2167-0x00007FFB60260000-0x00007FFB60275000-memory.dmp

memory/4964-2168-0x00007FFB5FDB0000-0x00007FFB5FFCD000-memory.dmp

memory/4964-2166-0x00007FFB5FFD0000-0x00007FFB60020000-memory.dmp

memory/4964-2165-0x00007FFB60E90000-0x00007FFB60EA4000-memory.dmp

memory/4964-2164-0x00007FFB60EB0000-0x00007FFB60EC3000-memory.dmp

memory/4964-2155-0x00007FFB63A40000-0x00007FFB63A50000-memory.dmp

memory/4964-2148-0x00007FFB41E50000-0x00007FFB43600000-memory.dmp

memory/4964-2159-0x00007FFB60280000-0x00007FFB60345000-memory.dmp

memory/4964-2156-0x00007FFB62530000-0x00007FFB6255F000-memory.dmp

memory/4964-2140-0x00007FFB62020000-0x00007FFB62190000-memory.dmp

memory/4964-2136-0x00007FFB63310000-0x00007FFB63321000-memory.dmp

memory/4964-2135-0x00007FFB63200000-0x00007FFB6326F000-memory.dmp

memory/4964-2134-0x00007FFB63330000-0x00007FFB63397000-memory.dmp

memory/4964-2132-0x00007FFB633D0000-0x00007FFB633E8000-memory.dmp

memory/4964-2133-0x00007FFB633A0000-0x00007FFB633D0000-memory.dmp

memory/4964-2131-0x00007FFB633F0000-0x00007FFB63401000-memory.dmp

memory/4964-2130-0x00007FFB63410000-0x00007FFB6342B000-memory.dmp

memory/4964-2128-0x00007FFB63430000-0x00007FFB63441000-memory.dmp

memory/4964-2127-0x00007FFB63450000-0x00007FFB63461000-memory.dmp

memory/4964-2126-0x00007FFB634E0000-0x00007FFB634F1000-memory.dmp

memory/4964-2125-0x00007FFB63500000-0x00007FFB63518000-memory.dmp

memory/4964-2118-0x00007FFB4AAA0000-0x00007FFB4BB4B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp1208.tmp.exe

MD5 373ae1aa06abbe6d6ef4c47fda97e92b
SHA1 8fa3250e8f10813f75adf926918937affe45810e
SHA256 b1210522244d9786ca8b3cca3611d47e2f9c2a7f4e0c6dc1c6902ca72e60afcf
SHA512 b17ac076a07a8cbee06680e7f134a4358decd45498b8219ab85e9c794e0aad3feb0759ae679cf2a93362ea72b35313c9ed6ed590cab67d896e4c51f565d5b436

C:\Users\Admin\AppData\Local\Temp\RarSFX0\play.vbs

MD5 448d64b7e2c09496500e077a00882dc6
SHA1 4796fb338dc81d16606ed76f63075b4fef8e051d
SHA256 b894b20027e433c8abe00659b972519d2e4166206de2cbc74cf41567581a099d
SHA512 c2160b4317670acea1cc9b5ba4a447ca1f95370eb119aa2299e2d3dad13d0aee1fd55ee4695b2883f2ce00339db88ec80cb0f104fb9fda8811bb3bd29afc25f6

C:\Users\Admin\AppData\Local\Temp\RarSFX0\pod.mp3

MD5 3236d81e37a573d3c969a67a0f0c97eb
SHA1 236c0f29f6f67147bd8c9d6767ef35bafe34df96
SHA256 05c8411329bb5be630da614866ffe68d11f0ccfb69b8e4593593f8eaca809e76
SHA512 84b3c55d179580aa404ee5b56eace400575bc5a28ef44da19d490b9a105e8b2d227bd1a0feb6fe9785950fc5752674217c528cf70a1ad3cece5c7a6d1c8ec1e2

memory/3744-2567-0x00000000060C0000-0x00000000060D0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

MD5 c50fb080cb5db9fac2166684a1d48beb
SHA1 d1dfa5372adf1ddf049c315686fec3bb12a70b6e
SHA256 1de345c39ab8581ed271316056250d07a2e8b30b37c0fbc20dcb7d75ca100328
SHA512 ed65c29ebde18564d61a9f36808c4dbe65a951aec9203334ea268ca99b4aae48f06e53517a22349f446c1c083e60cebeefb09140492faf01de81e74fd7454c01

memory/3744-2722-0x00000000060C0000-0x00000000060D0000-memory.dmp