Analysis
-
max time kernel
341s -
max time network
346s -
platform
windows11-21h2_x64 -
resource
win11-20240412-en -
resource tags
-
submitted
25-04-2024 17:36
General
-
Target
Peki V4.exe
-
Size
548KB
-
MD5
3d3e8bc1bd5265a4f35da0b594d60fbf
-
SHA1
27ae0bb3399f9178f272258a4a9153d5af6aea56
-
SHA256
2ba3caaba8ddeae1e33ec188c3c4ae322b856b44e0caabeb8909c661c668e6e5
-
SHA512
d41707d765f93b0790887a1351c72584356146c1d02e8fd1009739404d34b329d6abb538e1fd9f28161ed0e229a1259460655232676109f081cc14a0022f2b05
-
SSDEEP
12288:TTPUCQSmbfMcsgJqyE/KWcRTTjyRrh3sb3H:TTPLmrMZ8WcJHyzcrH
Malware Config
Signatures
-
Cerber 50 IoCs
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
-
Nirsoft 1 IoCs
-
Modifies Installed Components in the registry 2 TTPs 5 IoCs
-
Stops running service(s) 3 TTPs
-
Executes dropped EXE 30 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 4 IoCs
-
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs
-
Maps connected drives based on registry 3 TTPs 64 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Drops file in Program Files directory 2 IoCs
-
Drops file in Windows directory 15 IoCs
-
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 9 IoCs
-
Kills process with taskkill 41 IoCs
-
Modifies Internet Explorer settings 1 TTPs 32 IoCs
-
Modifies data under HKEY_USERS 2 IoCs
-
Modifies registry class 64 IoCs
-
Modifies registry key 1 TTPs 34 IoCs
-
NTFS ADS 1 IoCs
-
Suspicious behavior: AddClipboardFormatListener 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 44 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: LoadsDriver 10 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 61 IoCs
-
Suspicious use of SetWindowsHookEx 32 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Peki V4.exe"C:\Users\Admin\AppData\Local\Temp\Peki V4.exe"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Peki V4.exe" MD5 | find /i /v "md5" | find /i /v "certutil"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\certutil.execertutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Peki V4.exe" MD53⤵
-
C:\Windows\system32\find.exefind /i /v "md5"3⤵
-
C:\Windows\system32\find.exefind /i /v "certutil"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c color 52⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc1⤵
-
C:\Windows\System32\oobe\UserOOBEBroker.exeC:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding1⤵
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exeC:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Drops file in Program Files directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x10c,0x110,0x114,0xe8,0x118,0x7fffe621ab58,0x7fffe621ab68,0x7fffe621ab782⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1588 --field-trial-handle=1980,i,5080004854317627543,2692620950792938439,131072 /prefetch:22⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1788 --field-trial-handle=1980,i,5080004854317627543,2692620950792938439,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2212 --field-trial-handle=1980,i,5080004854317627543,2692620950792938439,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3008 --field-trial-handle=1980,i,5080004854317627543,2692620950792938439,131072 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3016 --field-trial-handle=1980,i,5080004854317627543,2692620950792938439,131072 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4184 --field-trial-handle=1980,i,5080004854317627543,2692620950792938439,131072 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4380 --field-trial-handle=1980,i,5080004854317627543,2692620950792938439,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4320 --field-trial-handle=1980,i,5080004854317627543,2692620950792938439,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4016 --field-trial-handle=1980,i,5080004854317627543,2692620950792938439,131072 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3372 --field-trial-handle=1980,i,5080004854317627543,2692620950792938439,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4732 --field-trial-handle=1980,i,5080004854317627543,2692620950792938439,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3360 --field-trial-handle=1980,i,5080004854317627543,2692620950792938439,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=4416 --field-trial-handle=1980,i,5080004854317627543,2692620950792938439,131072 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3380 --field-trial-handle=1980,i,5080004854317627543,2692620950792938439,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5052 --field-trial-handle=1980,i,5080004854317627543,2692620950792938439,131072 /prefetch:82⤵
- Modifies registry class
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=4924 --field-trial-handle=1980,i,5080004854317627543,2692620950792938439,131072 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=4336 --field-trial-handle=1980,i,5080004854317627543,2692620950792938439,131072 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2620 --field-trial-handle=1980,i,5080004854317627543,2692620950792938439,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3268 --field-trial-handle=1980,i,5080004854317627543,2692620950792938439,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5164 --field-trial-handle=1980,i,5080004854317627543,2692620950792938439,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4364 --field-trial-handle=1980,i,5080004854317627543,2692620950792938439,131072 /prefetch:82⤵
- NTFS ADS
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4716 --field-trial-handle=1980,i,5080004854317627543,2692620950792938439,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=1552 --field-trial-handle=1980,i,5080004854317627543,2692620950792938439,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5672 --field-trial-handle=1980,i,5080004854317627543,2692620950792938439,131072 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --mojo-platform-channel-handle=3732 --field-trial-handle=1980,i,5080004854317627543,2692620950792938439,131072 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5308 --field-trial-handle=1980,i,5080004854317627543,2692620950792938439,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5340 --field-trial-handle=1980,i,5080004854317627543,2692620950792938439,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x00000000000004E4 0x00000000000004DC1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\Downloads\Peki_V4.exe"C:\Users\Admin\Downloads\Peki_V4.exe"1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\Downloads\Peki_V4.exe" MD5 | find /i /v "md5" | find /i /v "certutil"2⤵
-
C:\Windows\system32\certutil.execertutil -hashfile "C:\Users\Admin\Downloads\Peki_V4.exe" MD53⤵
-
C:\Windows\system32\find.exefind /i /v "md5"3⤵
-
C:\Windows\system32\find.exefind /i /v "certutil"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c color 52⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\INF\Peki_Spoofer_V4.exe2⤵
-
C:\Windows\INF\Peki_Spoofer_V4.exeC:\Windows\INF\Peki_Spoofer_V4.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c title Peki Spoofer V44⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Color 1f4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://discord.gg/akfDT6Gb8K4⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7fffd58e3cb8,0x7fffd58e3cc8,0x7fffd58e3cd85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1872,11562923247552517804,10740080273347196487,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1884 /prefetch:25⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1872,11562923247552517804,10740080273347196487,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2108 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1872,11562923247552517804,10740080273347196487,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2808 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,11562923247552517804,10740080273347196487,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,11562923247552517804,10740080273347196487,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3412 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,11562923247552517804,10740080273347196487,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5044 /prefetch:15⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Color f4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic diskdrive get model, serialnumber4⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic diskdrive get model, serialnumber5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic bios get serialnumber4⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic bios get serialnumber5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic baseboard get serialnumber4⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic baseboard get serialnumber5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c getmac4⤵
-
C:\Windows\system32\getmac.exegetmac5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Color f4⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Users\Admin\Downloads\Peki_V4.exe"C:\Users\Admin\Downloads\Peki_V4.exe"1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\Downloads\Peki_V4.exe" MD5 | find /i /v "md5" | find /i /v "certutil"2⤵
-
C:\Windows\system32\certutil.execertutil -hashfile "C:\Users\Admin\Downloads\Peki_V4.exe" MD53⤵
-
C:\Windows\system32\find.exefind /i /v "md5"3⤵
-
C:\Windows\system32\find.exefind /i /v "certutil"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c color 52⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\INF\Peki_Spoofer_V4.exe2⤵
-
C:\Windows\INF\Peki_Spoofer_V4.exeC:\Windows\INF\Peki_Spoofer_V4.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c title Peki Spoofer V44⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Color 1f4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://discord.gg/akfDT6Gb8K4⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7fffd58e3cb8,0x7fffd58e3cc8,0x7fffd58e3cd85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2024,2495617045267265608,17537873423954819792,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2056 /prefetch:25⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2024,2495617045267265608,17537873423954819792,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2104 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2024,2495617045267265608,17537873423954819792,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2628 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,2495617045267265608,17537873423954819792,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3212 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,2495617045267265608,17537873423954819792,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3220 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,2495617045267265608,17537873423954819792,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4028 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2024,2495617045267265608,17537873423954819792,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4548 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2024,2495617045267265608,17537873423954819792,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=3460 /prefetch:85⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Color f4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD "HKLM\SOFTWARE\Microsoft\Cryptography" /v MachineGuid /t REG_SZ /d "a49cc3de-e713-573a-e584ba72c0148855" /f4⤵
-
C:\Windows\system32\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Cryptography" /v MachineGuid /t REG_SZ /d "a49cc3de-e713-573a-e584ba72c0148855" /f5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\IDconfigDB\Hardware Profiles\0001" /v HwProfileGuid /t REG_SZ /d "{a49cc3de-e713-573a-e584ba72c0148855"} /f4⤵
-
C:\Windows\system32\reg.exeREG ADD "HKLM\SYSTEM\CurrentControlSet\Control\IDconfigDB\Hardware Profiles\0001" /v HwProfileGuid /t REG_SZ /d "{a49cc3de-e713-573a-e584ba72c0148855"} /f5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v NetworkAddress /t REG_SZ /d "f22abe1446d5" /f4⤵
-
C:\Windows\system32\reg.exeREG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v NetworkAddress /t REG_SZ /d "f22abe1446d5" /f5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\INF\dr43.exe4⤵
-
C:\Windows\INF\dr43.exeC:\Windows\INF\dr43.exe5⤵
- Executes dropped EXE
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\lol.bat6⤵
-
C:\ProgramData\Microsoft\Windows\DevManView.exeDevManView.exe /uninstall "WAN Miniport*" /use_wildcard""7⤵
- Executes dropped EXE
- Enumerates connected drives
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\ProgramData\Microsoft\Windows\DevManView.exeDevManView.exe /uninstall "Disk drive*" /use_wildcard""7⤵
- Executes dropped EXE
- Enumerates connected drives
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\ProgramData\Microsoft\Windows\DevManView.exeDevManView.exe /uninstall "C:\"7⤵
- Executes dropped EXE
- Enumerates connected drives
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\ProgramData\Microsoft\Windows\DevManView.exeDevManView.exe /uninstall "D:\"7⤵
- Executes dropped EXE
- Enumerates connected drives
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\ProgramData\Microsoft\Windows\DevManView.exeDevManView.exe /uninstall "E:\"7⤵
- Executes dropped EXE
- Enumerates connected drives
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\ProgramData\Microsoft\Windows\DevManView.exeDevManView.exe /uninstall "F:\"7⤵
- Executes dropped EXE
- Enumerates connected drives
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\ProgramData\Microsoft\Windows\DevManView.exeDevManView.exe /uninstall "G:\"7⤵
- Executes dropped EXE
- Enumerates connected drives
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\ProgramData\Microsoft\Windows\DevManView.exeDevManView.exe /uninstall "Disk"7⤵
- Executes dropped EXE
- Enumerates connected drives
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\ProgramData\Microsoft\Windows\DevManView.exeDevManView.exe /uninstall "disk"7⤵
- Executes dropped EXE
- Enumerates connected drives
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\ProgramData\Microsoft\Windows\DevManView.exeDevManView.exe /uninstall "Disk&*" /use_wildcard""7⤵
- Executes dropped EXE
- Enumerates connected drives
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\ProgramData\Microsoft\Windows\DevManView.exeDevManView.exe /uninstall "SWD\WPDBUSENUM*" /use_wildcard""7⤵
- Executes dropped EXE
- Enumerates connected drives
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\ProgramData\Microsoft\Windows\DevManView.exeDevManView.exe /uninstall "USBSTOR*" /use_wildcard""7⤵
- Executes dropped EXE
- Enumerates connected drives
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\ProgramData\Microsoft\Windows\DevManView.exeDevManView.exe /uninstall "SCSI\Disk*" /use_wildcard""7⤵
- Executes dropped EXE
- Enumerates connected drives
- Maps connected drives based on registry
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\ProgramData\Microsoft\Windows\DevManView.exeDevManView.exe /uninstall "STORAGE*" /use_wildcard""7⤵
- Executes dropped EXE
- Enumerates connected drives
- Maps connected drives based on registry
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\ProgramData\Microsoft\Windows\DevManView.exeDevManView.exe /uninstall "WAN Miniport*" /use_wildcard""7⤵
- Executes dropped EXE
- Enumerates connected drives
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS %RANDOM%PR-WARE%RANDOM%SS6⤵
-
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exeC:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS 24169PR-WARE14792SS7⤵
- Cerber
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 2%RANDOM%PR-WARE%RANDOM%SV6⤵
-
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exeC:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 224169PR-WARE14792SV7⤵
- Cerber
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 8%RANDOM%PR-WARE%RANDOM%SV6⤵
-
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exeC:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 824169PR-WARE14792SV7⤵
- Cerber
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto6⤵
-
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exeC:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto7⤵
- Cerber
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 5%RANDOM%PR-WARE%RANDOM%SK6⤵
-
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exeC:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 524169PR-WARE14792SK7⤵
- Cerber
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 4%RANDOM%PR-WARE%RANDOM%BM6⤵
-
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exeC:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 424169PR-WARE14792BM7⤵
- Cerber
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 6%RANDOM%PR-WARE%RANDOM%BS6⤵
-
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exeC:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 624172PR-WARE25540BS7⤵
- Cerber
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 3%RANDOM%PR-WARE%RANDOM%BV6⤵
-
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exeC:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 324172PR-WARE25540BV7⤵
- Cerber
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 7%RANDOM%PR-WARE%RANDOM%PSN6⤵
-
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exeC:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 724172PR-WARE25540PSN7⤵
- Cerber
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM Costa-Tech-Support6⤵
-
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exeC:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM Costa-Tech-Support7⤵
- Cerber
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe6⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del C:\ProgramData\Microsoft\Windows\amide.sys6⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del C:\ProgramData\Microsoft\Windows\amifldrv64.sys6⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /IM DevManView.exe /F6⤵
-
C:\Windows\system32\taskkill.exetaskkill /IM DevManView.exe /F7⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del C:\ProgramData\Microsoft\Windows\DevManView.exe6⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del C:\ProgramData\Microsoft\Windows\DevManView.cfg6⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del C:\ProgramData\Microsoft\Windows\DevManView.chm6⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del C:\ProgramData\Microsoft\Windows\lol.bat6⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Color f4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\INF\LNC.bat4⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im epicgameslauncher.exe5⤵
- Cerber
- Kills process with taskkill
-
C:\Windows\system32\taskkill.exetaskkill /f /im FortniteClient-Win64-Shipping_EAC.exe5⤵
- Cerber
- Kills process with taskkill
-
C:\Windows\system32\taskkill.exetaskkill /f /im FortniteClient-Win64-Shipping.exe5⤵
- Cerber
- Kills process with taskkill
-
C:\Windows\system32\taskkill.exetaskkill /f /im FortniteClient-Win64-Shipping_BE.exe5⤵
- Cerber
- Kills process with taskkill
-
C:\Windows\system32\taskkill.exetaskkill /f /im FortniteLauncher.exe5⤵
- Cerber
- Kills process with taskkill
-
C:\Windows\system32\taskkill.exetaskkill /f /im UnrealCEFSubProcess.exe5⤵
- Cerber
- Kills process with taskkill
-
C:\Windows\system32\taskkill.exetaskkill /f /im CEFProcess.exe5⤵
- Cerber
- Kills process with taskkill
-
C:\Windows\system32\taskkill.exetaskkill /f /im EasyAntiCheat.exe5⤵
- Cerber
- Kills process with taskkill
-
C:\Windows\system32\taskkill.exetaskkill /f /im BEService.exe5⤵
- Cerber
- Kills process with taskkill
-
C:\Windows\system32\taskkill.exetaskkill /f /im BEServices.exe5⤵
- Cerber
- Kills process with taskkill
-
C:\Windows\system32\taskkill.exetaskkill /f /im BattleEye.exe5⤵
- Cerber
- Kills process with taskkill
-
C:\Windows\system32\taskkill.exetaskkill /f /im smartscreen.exe5⤵
- Cerber
- Kills process with taskkill
-
C:\Windows\system32\taskkill.exetaskkill /f /im smartscreen.exe5⤵
- Cerber
- Kills process with taskkill
-
C:\Windows\system32\taskkill.exetaskkill /f /im EasyAntiCheat.exe5⤵
- Cerber
- Kills process with taskkill
-
C:\Windows\system32\taskkill.exetaskkill /f /im dnf.exe5⤵
- Cerber
- Kills process with taskkill
-
C:\Windows\system32\taskkill.exetaskkill /f /im DNF.exe5⤵
- Cerber
- Kills process with taskkill
-
C:\Windows\system32\taskkill.exetaskkill /f /im CrossProxy.exe5⤵
- Cerber
- Kills process with taskkill
-
C:\Windows\system32\taskkill.exetaskkill /f /im tensafe_1.exe5⤵
- Cerber
- Kills process with taskkill
-
C:\Windows\system32\taskkill.exetaskkill /f /im TenSafe_1.exe5⤵
- Cerber
- Kills process with taskkill
-
C:\Windows\system32\taskkill.exetaskkill /f /im tensafe_2.exe5⤵
- Cerber
- Kills process with taskkill
-
C:\Windows\system32\taskkill.exetaskkill /f /im tencentdl.exe5⤵
- Cerber
- Kills process with taskkill
-
C:\Windows\system32\taskkill.exetaskkill /f /im TenioDL.exe5⤵
- Cerber
- Kills process with taskkill
-
C:\Windows\system32\taskkill.exetaskkill /f /im uishell.exe5⤵
- Cerber
- Kills process with taskkill
-
C:\Windows\system32\taskkill.exetaskkill /f /im BackgroundDownloader.exe5⤵
- Cerber
- Kills process with taskkill
-
C:\Windows\system32\taskkill.exetaskkill /f /im conime.exe5⤵
- Cerber
- Kills process with taskkill
-
C:\Windows\system32\taskkill.exetaskkill /f /im QQDL.EXE5⤵
- Cerber
- Kills process with taskkill
-
C:\Windows\system32\taskkill.exetaskkill /f /im qqlogin.exe5⤵
- Cerber
- Kills process with taskkill
-
C:\Windows\system32\taskkill.exetaskkill /f /im dnfchina.exe5⤵
- Cerber
- Kills process with taskkill
-
C:\Windows\system32\taskkill.exetaskkill /f /im dnfchinatest.exe5⤵
- Cerber
- Kills process with taskkill
-
C:\Windows\system32\taskkill.exetaskkill /f /im dnf.exe5⤵
- Cerber
- Kills process with taskkill
-
C:\Windows\system32\taskkill.exetaskkill /f /im txplatform.exe5⤵
- Cerber
- Kills process with taskkill
-
C:\Windows\system32\taskkill.exetaskkill /f /im TXPlatform.exe5⤵
- Cerber
- Kills process with taskkill
-
C:\Windows\system32\taskkill.exetaskkill /f /im OriginWebHelperService.exe5⤵
- Cerber
- Kills process with taskkill
-
C:\Windows\system32\taskkill.exetaskkill /f /im Origin.exe5⤵
- Cerber
- Kills process with taskkill
-
C:\Windows\system32\taskkill.exetaskkill /f /im OriginClientService.exe5⤵
- Cerber
- Kills process with taskkill
-
C:\Windows\system32\taskkill.exetaskkill /f /im OriginER.exe5⤵
- Cerber
- Kills process with taskkill
-
C:\Windows\system32\taskkill.exetaskkill /f /im OriginThinSetupInternal.exe5⤵
- Cerber
- Kills process with taskkill
-
C:\Windows\system32\taskkill.exetaskkill /f /im OriginLegacyCLI.exe5⤵
- Cerber
- Kills process with taskkill
-
C:\Windows\system32\taskkill.exetaskkill /f /im Agent.exe5⤵
- Cerber
- Kills process with taskkill
-
C:\Windows\system32\taskkill.exetaskkill /f /im Client.exe5⤵
- Cerber
- Kills process with taskkill
-
C:\Windows\system32\sc.exeSc stop EasyAntiCheat5⤵
- Launches sc.exe
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {24198-13223-22227-11794} /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v GUID /t REG_SZ /d {11455-3947-18307-19028} /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v GUID /t REG_SZ /d 7742-13402-1963-11066 /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v MachineGuid /t REG_SZ /d 3256-21931-31932-25404 /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\Epic Games" /f5⤵
-
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\com.epicgames.launcher" /f5⤵
-
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\EpicGames" /f5⤵
-
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Epic Games" /f5⤵
-
C:\Windows\system32\reg.exereg delete "HKEY_CLASSES_ROOT\com.epicgames.launcher" /f5⤵
-
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\Software\Epic Games" /f5⤵
-
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig" /f5⤵
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\Epic Games" /f5⤵
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d 14419 /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d 3131 /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\com.epicgames.launcher" /f5⤵
-
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\EpicGames" /f5⤵
-
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Epic Games" /f5⤵
-
C:\Windows\system32\reg.exereg delete "HKEY_CLASSES_ROOT\com.epicgames.launcher" /f5⤵
-
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\Software\Epic Games" /f5⤵
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d Desktop4142 /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d Desktop22982 /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\HardwareConfig /v LastConfig /t REG_SZ /d {Admin16219} /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {16244-1230-6971-15926} /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v GUID /t REG_SZ /d {5492-13914-27193-11162} /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d 11883 /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v RegisteredOwner /t REG_SZ /d 30539 /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v RegisteredOrganization /t REG_SZ /d 30239 /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v GUID /t REG_SZ /d 17661-12101-242-23244 /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v MachineGuid /t REG_SZ /d 8013-24458-10694-19882 /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v ProductId /t REG_SZ /d 12258-24194-22013-7148 /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_SZ /d 25009 /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {13212-22105-24083-2754} /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\Epic Games" /f5⤵
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\Tracing\Microsoft\Profile\Profile /v Guid /t REG_SZ /d 15888-10565-1207-Admin21988 /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\com.epicgames.launcher" /f5⤵
-
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\EpicGames" /f5⤵
-
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Epic Games" /f5⤵
-
C:\Windows\system32\reg.exereg delete "HKEY_CLASSES_ROOT\com.epicgames.launcher" /f5⤵
-
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\Software\Epic Games" /f5⤵
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d Desktop18372 /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d Desktop21024 /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\HardwareConfig /v LastConfig /t REG_SZ /d {Admin8836} /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {29855-16237-15065-6019} /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v GUID /t REG_SZ /d {11626-24054-21436-410} /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d 6686 /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v RegisteredOwner /t REG_SZ /d 15141 /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v RegisteredOrganization /t REG_SZ /d 25995 /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v GUID /t REG_SZ /d 5719-10923-5500-18897 /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v MachineGuid /t REG_SZ /d 18921-16393-20829-32115 /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v ProductId /t REG_SZ /d 26479-29554-29554-16776 /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_SZ /d 32374 /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {24015-6732-15978-18876} /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\Epic Games" /f5⤵
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\Tracing\Microsoft\Profile\Profile /v Guid /t REG_SZ /d 29552-15178-23821-Admin29498 /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\Software\Epic Games" /f5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Color f4⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{7966B4D8-4FDC-4126-A10B-39A3209AD251}1⤵
-
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\StepRestore.mpa"1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -nohome1⤵
- Modifies Internet Explorer settings
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -nohome1⤵
- Modifies Internet Explorer settings
-
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\StepRestore.mpa"1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Windows Media Player\wmplayer.exe"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding1⤵
-
C:\Program Files (x86)\Windows Media Player\setup_wm.exe"C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding2⤵
- Drops desktop.ini file(s)
-
C:\Windows\SysWOW64\unregmp2.exeC:\Windows\system32\unregmp2.exe /ShowWMP /SetShowState /CreateMediaLibrary3⤵
-
C:\Windows\system32\unregmp2.exe"C:\Windows\SysNative\unregmp2.exe" /ShowWMP /SetShowState /CreateMediaLibrary /REENTRANT4⤵
- Modifies Installed Components in the registry
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Modifies registry class
-
C:\Program Files (x86)\Windows Media Player\wmplayer.exe"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Relaunch /Play C:\Users\Admin\Desktop\DenyConnect.midi3⤵
- Enumerates connected drives
-
C:\Windows\SysWOW64\unregmp2.exe"C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon2⤵
-
C:\Windows\system32\unregmp2.exe"C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT3⤵
- Enumerates connected drives
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost1⤵
- Drops file in Windows directory
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27Filesize
1KB
MD55bc8c77cc39ef54a0eb496a99d42524e
SHA189903d48951a4a0b96d1494cad05926881302d84
SHA2562627710dba74a12ab49217e1abebe7ed8b06ad53a9c2aa08f6b9b51255f06a4b
SHA512913ea1d25d568a296e6c4b7a50ce356ae7fc4f22a0a8a3c9cebebf5266ed554f988e0aef077b99f682768f6f6b8932de796a38d758e2556426899cff869e19a1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27Filesize
408B
MD511185889628d122f18b0c3e9a3666ace
SHA1fa68a824c1fb88f25b6e20a47b948d6c6fed8f42
SHA2564d8dc472fb7888e2238fda07430b0d58284e92c0f38a7e3f67156bb421909fb5
SHA5124215ac754c18e89465c5a083a195682a5a2e1d5f8381fa0ec242df4c39c911dfa66a019115efee6437e35a7f282c2ac99af957bbf558e4651e32963e1b997a0d
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
2KB
MD539e71004b2d0c8a3dd73ce0d38c0c152
SHA182e44e275ec6bf680762daae465d7b918923da89
SHA25607829091a6c93a554b77a966dc1d9a3c949ac027cb3acc3046df8e1020536a26
SHA512f9dd94ee47caa64e8d3626bc579b03ba044e056d6702fa8f1c78945cecddba40deda82fa5120b92cb8733e2f2b93dc52e7b24651e9e60555d2a2fbf8f56f90a2
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent StateFilesize
4KB
MD51e93f1be5bd49504cf28960dc40050bc
SHA13c2614572cb25536e8ff37dda67920e57e99f1a6
SHA256d2d1e5710a2874f33b468b3a1a0a2143313bafb28de4a21b9aa0968946c3b15c
SHA512db03cd3264f5a28626d2f8a04a46a36bec8337f7de598bdd96a6ff711d58a81e53396dcc527c04483fe5feeedf141b25897d23bfe948a90906d70666f7508e32
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent StateFilesize
5KB
MD57ea17058a785c057a143d348a6cf6d6a
SHA188ae29489a85facb74328df209c3dd565f52c73d
SHA256a8edaa770573eb549ed62d15f62e6617a05e67b6f33c00a767b1afbe1d900aab
SHA5122f8f0ee0fde32af6a10e92f2e81e18d0e301d121a51cf02b522c4970e72cf0d35ce460eece7ae9f2cc61cd42cdae62f8a1da1543e7f02606b6d65fd2b4183029
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending ReportsFilesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurityFilesize
1KB
MD57cea234c8fb42be611a0dc49c79d22f1
SHA1a52e702d2e1ab1d9f06c86f1adad396bf583730b
SHA2563698d6db0c1a24f9cfd3fbf724c8e9984a3bf95ed8103f031ad28ac39b264478
SHA512a7745c3638795c0472dadcca2cd5c017d25a0ff5f1ab28fb10fba94bba421d159e55b9633639a6ab581f93bf47e5f418f0e72320c486995bad055727af919a93
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurityFilesize
1KB
MD5035ecb7999230f0de9e8fae256a6765a
SHA114ca3565e8a151ad87da5068f5f00f354f76c845
SHA256d430fc76d9c3d4a2df84d46c5670f09c3c0f6e6626247f283a2a695da5f9c5ae
SHA512c5fdbc795da664febc7c61837fc9a83591151743bee7c79f73003a02fc544a26b940bb2d5ab050627a2188cee7b41e70b9cef66b33a4930d6d7dcafbd3be0612
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurityFilesize
2KB
MD51087a4d777feac2554f2584113b21f60
SHA1d0971864d0267bd213b36d6609388630afd139f5
SHA256f5b824895a0d62131d4eac3faf8901afeab341ed89cce6b549459ece99b9bc70
SHA5127b4cb5d0cd8a8fe38335531167aee2f8995a7d49d19bc99d298e33faeecfd02a123b72b71e4002928dabc2a28bf712c90c6e64c42e23dc1235b6aa29e79fd971
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurityFilesize
2KB
MD5e632eb6dd6de90a2b3ebd8ed5fac8d30
SHA1360688023b76b394dbbfb6ace55aa25bb79f5a19
SHA256d85a682ac5a29682fb1894e0078f17a28c1c314c378765d4341e75fc50f5bd77
SHA512f936564b0f8faa542ef6b368077c99ccd4992a9d3c13e35266d76b8ef92f0445aec75c0daa0fcc883dba5dfca9115d0c5bf872be2f5c248976ea4ca218a66945
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurityFilesize
2KB
MD5fb8ddfa2172d755a923332821b1fcb96
SHA1177bc5607c95b0b5e59535e9c34695451714f571
SHA256390517bb03fcc870858df328175bed26c01b96126174a08901a8ef74d2bde53f
SHA512ea821cc09e5881fa6b59582114471d1c6bd33dcc1dc3912f8bd69380b6141b7338fc4343af1beb002eb5620fcd4fd3a836a1eb62f74c171a42b438138876ceac
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurityFilesize
1014B
MD532872754f0893ca0a1f138e42eb75fb8
SHA10cdd216b469b10ca038b48e02f40b8db0e733dd0
SHA2563a3a3629c590e5f760c6162e3b7d652b313332ccca3f9bf212cb04cd67f6d970
SHA5125f3ba8bf5b8c570b16f7e841d314fc0fe1dbd064d3b7711ea0b91d9252a287250f283ba979aea0acff692b4c80ac16992085924f40d4fcc0879f94f62b4953e7
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurityFilesize
1KB
MD535b931bbcb93d8bc899ff56b348c836e
SHA14d08911e13e28e6c5e9d70d9f0b8b00954902f5a
SHA2561156e45ce8459d3e5980d57f365e56b9b8324786ce9e8214946d8d4f103f1b2e
SHA512803ab7f383e63d250723be07cd1da2b4b84bbb283c27188223b577fbee7ee13de0d52a0663a80587969035030241ba883d76b01c6df3bdf17301d8e54136f882
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurityFilesize
2KB
MD52a1fe28861b85811a1cb701383032cf7
SHA13df78c69cdda49fbc7dd71f0442d1fe6ad3318fc
SHA256c4969df46ebe236d8d26a80deb8cfc96564d8dd8e2024e64a19d0f21294c962b
SHA512316f9ed5ccaae7d68fb1af13d332a9040ba5d41e790b30b2680f23f6c23a98fd388fe281677f9bb895fa259f9a052395704f14680efa2530aff5a415a099c2ff
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
7KB
MD55bc1a0da8033d78128509e96b3534d2f
SHA19e47c1853c895621d1e1d95c3166d5eb4304412b
SHA2569d95310aa191e3089d83a250a702e618368c5b05eb516abe6cb4e8f0dc0b0442
SHA512f626e45f12d5e49299d0d6055fd379c69af3b8f90166b0d6d6bc4e46743566c357d1c9ec478fe01750ec36f4adc9287e7e983b875ac75f9217ee0840a8231cc9
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
8KB
MD598d7cbb2b9ebfe430b6593276f9a37a0
SHA178433961117fb9ae8c1023abaaf6b1d97c5bb9a2
SHA256c278bf04b6ac5e20f7f93d09a31ee9e7d33438ad7308ceec79ae4aad3a2a1db2
SHA512b5fa5492f16e44d26ceb7a1f721791beb74e0bc4f23de429c3e1583ad15add866fd1f02dde89c52584a8c9599673f0553b8b0233fecc33bf9b64cedd828cdfa9
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure PreferencesFilesize
16KB
MD586186dc184d7296f85b105ce942c3ee7
SHA1090366a6e9f4f1b2e69ae0be465f395983b52856
SHA25662519f08baf7c7b91df7324733ea7eeea91f9a234d2af34653bb706a14d81612
SHA5126f71bb3afaf7bdbbca660a91c467fe99200ad8e190b7e84acfba1b9616625dc7fd0ca7da563d83594c7d03a898201bafe1bc8bd9878dc8559be913d33d76de75
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local StateFilesize
253KB
MD54ba893bba8fc81c938df9e2ce258815a
SHA16e3cad210961be1399063371423baa18cece8dbd
SHA256f09f5741971178ad654a8d4f3986148a0f2792a8fce3e4f591acbc2015f848d1
SHA512e14543e3eb5e527ce393f5a723cdfe63588dcab463452e4804e2cdd17711b50a12e73888d9c7f8f8b6cb4b3dfb21ebcc2bbf7e14ff38161d765aa8dc240d84ec
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local StateFilesize
253KB
MD5b4b2ed49b338f98dc46f5d34b478dbab
SHA196c561ccb48e46869f8e21e916ac2346de1b873e
SHA256c1dbe715052248535228e56bc4963f8d3ac334a5813eae42da63d0c8e9ee2de4
SHA512766dec73e0e0b5dfd4cbc6a7e27b492fd06a77247cdc9d67aca41ae27a369bb1160b3724a4cda040d5c0b9e3109f9b368267000afa2eb9fb730def4031320939
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info CacheFilesize
93KB
MD57c3c1ad47f3a5887f73655feef26377c
SHA1844530228981a65d99d45d04fe44c414780ba22f
SHA2564ccb8f8f9bc83de6fd8a373b7e7c9911e9a12556eb9ef3091e6a54e5c95bbbbe
SHA512f720aa4c6ae76252e3ea567c7794e9439d7ff4bd4a7e2ff7d531f8342c0b38eac46c5a3c6819dbb9bda5d0eca5438127f083fb8f69b24adf780ba3cb4c99329b
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe5a6d03.TMPFilesize
83KB
MD57e288953f72a3f6e5f351d02e390519f
SHA15809b2db78625d624cc8f20821cd200136643292
SHA2567991b86e8e72b96f78ed7ac96f0a9f5479781b03c2fda6cf8ca95f9ca50846a5
SHA512d5bf087a73851b7c50f864c670a89b443ce769776b0511a4ec14b40305a8e8ddf1188e0155f630a62099cb71f4235530023900f9ebc0fcb451a2b23ed3085f95
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\b86950d4-5d85-4285-b90e-7b33f8666ee0.tmpFilesize
253KB
MD562613ae9eb893b6e64c0e6778639376c
SHA14a3e08a8d25ae5214b9efd2b0fbbee6b43898113
SHA25647f06918c4578a7b8ae623240448246d8f49c13d8dbd81e7a45274d0fd0f0e26
SHA5123d85c2ef7eb3e971b2f7fa77792aeb699b3be020035da2067175894b5fd0155c7d6638ea6fe3361b22c2a5ec27a169bda356908ed5138ea18dd60101d1db338a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5f3f6e86c8b7bdc605f5559df800bfd34
SHA1862d05bfba760ae8adcbb509216dc18ead59a6b2
SHA2565dfe9be21d4916615025055f1a70151362bdb404b40f074685e39b33ad545a78
SHA512de576ebf0cbe1c5e7639c42517253796cf4b5770298271ac2e6958404998f2d6b8e3378a535f2f316f4020fd8e60b5cc9c1b6b5171d307ca3215afe8ac47a7c3
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5f1a9c7fa806c60a3c2ed8a7829b1461f
SHA1376cafc1b1b6b2a70cd56455124554c21b25c683
SHA2561eb39b1409ce78188c133089bf3660393ac043b5baade7ff322df5a0ca95380b
SHA512e1cb2f84b5cbd86b107c0a9ec0356ab65a54c91208f9f8e83fec64bf17ae89356a09b0cd39d2726424f4041d7b25b962c23672b8645c2e10f11ff4d2075f4afd
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD57d904715adf21770a61a5ca2a7228056
SHA186a0e21d319c7585b05f96c48119b1bb934702e8
SHA256b24c07471d30c215e7038edbcb2b1edf313d2884683f00dbe80fae76a7ca9d7a
SHA512b6b35630681bc122baa8049b97d5fb762e035648496f9df0433e67885877fd822811c2d21c66d7f02f1e9f8695f55870b789199ff9a3ca4ad988f72182eab85c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD539ebccab20b0bd5e60e42a28d74b16af
SHA17d3cc2acda2457849825d45203899cb5eb6c072e
SHA256c7b47fc52d34983af8968ac3675b6ae9dee077503dd4378e40750041e7aee7a5
SHA512c0df207c36ce9f6b9e8d4a732d54421eb86e045951e1eb6d7cba27b7c066026a19c0700bc877680d609feca79ccc86952f84a25d455ac6685d482f4c65d43576
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
240B
MD5e7df5e17414b5e9e20aabc58d544b032
SHA14f4ed48089ed58c94130ad8ddcbe467f8939fc0f
SHA2560f8a01f4ae1c0cad122966a92faa1050e6c6518b04c27edf42a11c01d43f6de5
SHA512193be6dcf4ac062e4be0a5839a52a71f554506049d6f25c621a9d20a0d28f3cfea1f5b5219cf5ea1780178cdd84067b8e7828ea29637ffc1e8c816880056b558
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
432B
MD5ed43f04d266d71ae8946726dbed2421a
SHA136308ac06c35ed916a857a4683738a2fdf3d538c
SHA25656dd301967cdb44139e2b3921dd118565b0f85cfe66e6ccdcc2cf23bb9fa1f62
SHA512fd0043f536e30271cf8f7af51cccf0c225eab4e528b35c040b0c0b3b56ced6210ecec74782c7f1bab244daeef6686bc7b006db4511e07f0284907dda06e5fa0f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\HistoryFilesize
116KB
MD56e109dcf2c0a191bab0f6539c1204a62
SHA121bd94548a54bc95567d26c58c32f6fe70dd5a09
SHA256145a26ad8e9169bf9a88b3db025b13ed4f97bba53a8c21354d13b04d8ea54808
SHA51275b522e6b80579e39bfa37b768d704cbd5bb04e2e69c94cfa8c769a0bb2ed46b74a631547005ca5a65720a78f924026a7f33213f68c3905ea85d9eb79e3b1c2d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History Provider CacheFilesize
685B
MD55fb918f2d94b3d0e9b331da1687017f3
SHA18c68702e44cdf67ed044135f1afac72f948d20c9
SHA2560dc0d1e962cf4134ec7998281612f4785382f92f3f864ef9fbcc72715f9757fb
SHA512348efb18a2e69b0a97817066e491d3d6f18598c528a02656a52438220e0e4b0b272d77dd151fdbcd3b8f9dc54b9b3ed1a28078d6d5c928826cceef6768ab7e49
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOGFilesize
331B
MD52ecbc4c94d1e695a90c542f8a30466a5
SHA1a0c23b52de3931007e6fd0422b7884fd163c469b
SHA2560e554760829f261c85721a944535118921a768a9079e623fada7a295ce9ba665
SHA512d206ba06b89a571206924422313f3d381254790b7d03fb468ce9e703b2730cd07671940eb04a09d11e6d2f323cd6c9e43959f6378a94dfaf6bfbce9386d47496
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
247B
MD594bd83393ee4e3c749f28c3414160cbc
SHA168effb04ecc392f2ae4ad7bdc1e99b9116da474c
SHA256e1dbf44fca250f32925910fcd7f59276e46d0d916eff30fdf9f85ef91bcd3d4b
SHA512203109a405cd685a195e6cdae5d0a624abcd6c6a9333b88f312e50f96bafa03057366bd78bf62df8784ec97f14677d56f8b78b472000044618a784bcf7af3e8a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD5b0a8c446b8573d4231368f77db86b3a5
SHA1de9dfdb614b7a76c37f88eb8dd6c0f2cf3439faf
SHA256989696fec62ae1b1c2c50337e3126ad1735d16cc4c802439f3b54915b51ddd53
SHA512e29124207f8bcc4ea30c5ea16ad1ba324227e1f902e46d1ab8b14a6a109bdf47c4d3b438773e4ebdbbdbeca2d2686c5a6ec80de745fc5a6cb85a4e558b1b56de
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD54c63f91f4e437072bea354b84e9db5b4
SHA1637212f6ec42a527401a07287c9c877ac534ef40
SHA256aa90cc178b8f84280ee59892016881e4d102b0dd85610195e2990bdc34ebe3f1
SHA5122328682b47310dde37071ba0fa5ba04e27bfd57d08a5f880921971e1644d27c5ca38f43faa69b85912c345b9176410e0547d6ac7ed857e65639f270fb588f3df
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD560c94013e53e657fee3032313356dc8a
SHA145ebcc5356ec8ef89c3d23e46a6ce5c69e844653
SHA2565d59bfbdcc38bdbd00a7306654310c27508cfa9ea66134d24775af3a84debcf1
SHA5124ac37c3fbbe51f1df5141a844f6eeccddd7ea445c76ac6515a593e123f8b3d28e2c5717066293dd53760764ba25d6a261a4fc54d9297a7685858c33a96bddb55
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD51abab7ca4a4bb6f9cb51447f43c41ed5
SHA154c0845c3c32aac464ff32482b0da0fdc06bf62a
SHA256315d6d1c4bc9341716abd150c40fdd1956fd5ee6e4d673ea853bbc54e152d01a
SHA512007743457941852053f98b4efce32a2bdd818048ee551e6f4aba420fdbc915132a7bd1794a2ae95c97ecdbea147a331c4bd2df68e691c80089f6a5e1b2f8720a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Tabs_13358540411010599Filesize
1KB
MD587f35b61c1f15c97b58478f6079f05f5
SHA14d058d754247543ba9df90ffa20634a2623e0c55
SHA256c18b0367477491004fd09e99d5c996885430d673df1bce7b23d57fe07550829e
SHA512dfb8edd9a4404a12b2d9caa75bd3d389ce99aa69a775423f15f35d2d33623ee9b709a04b87f1d6e9423cb078760204bc96139287ed98e8984cdb8209e4ad25ac
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOGFilesize
347B
MD5e7792c205b4b5d74071e6940e43177d6
SHA1f871c53764eaca832cd43778e3f8b50a9a811e99
SHA25675e6e35ed9dfde5aeb47f2f034a5816d2e4e992e51001e1ca0900c89ba8100f2
SHA5129e1a0e5f1fd2c1706e3ce8acdaf71cc38b89b1e3fcb622dd37c6e6b87e2b7c21f1b94d9ea67c499902b80c4966683801e1d78461b39db94e4f50d297f91335cc
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOGFilesize
326B
MD57c62f3f3374375eddb7725dd565b3f70
SHA1c8ec591b09e181a75cb0f867d8c502d91814a710
SHA25603919dd23f22baf02b9ceb1e42791f69b5b506414a92b108626d34290e24af4b
SHA512aea59e7f0fe49d5e1a6903fdb0f5dbe3ef142493d5d57de4d3acc1aa482610f416cf2598e4598e18eb25d549adb521ae3fd9e0889a34985be3f6ea3826dbe3a2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
370B
MD513395dc018100e45fb48fe135976986c
SHA1c2630741bd8d93ace5c322763d6eb85fa5beac3d
SHA2569269fb3af8271756046ce97ea1dc5c3dbf60915709a1c5fd614919f143bbe388
SHA5128731dd7035b4dfee3be771eef37b8c0fd07e2a8e61bb2cf938ff49697d2e7345fa41a6e7925e6670dfc65227a58658d941516e78fa7ba35e31439907eca76c9d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Visited LinksFilesize
128KB
MD5888be33151d02560d1b75d6c895f815e
SHA1473d4bf7de5436151246e1665aaa91a01e17fa68
SHA256a347d7996ee323764a5edbd97932bd1f611dded1efb78456f125ddfda8951de1
SHA512867b15fe6c98ab80cd9c55cd705cd6b0269630661e91bd7f3861446bb74b9014d2edb3e451cb76e0f17e303cb5e3171f9e928034e54a35a54b23769d751819ba
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\f8e84c54-f804-4d6f-b3bd-6b8074217aa8.tmpFilesize
1B
MD55058f1af8388633f609cadb75a75dc9d
SHA13a52ce780950d4d969792a2559cd519d7ee8c727
SHA256cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8
SHA5120b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.dbFilesize
44KB
MD564e5476efbec82117a0c73df5cb42f07
SHA1366905d5fe20d9bd379e2ed6d2e3bb4b31d563f0
SHA2561192b5f8bd335d7753e2faf6da2d8be12f4fe41cd78b809ff086c7ab07bc1946
SHA5124528dc095323fe66c3cb24f1f2b1662dda2f6628b81fa6b6b176b18bae4815740e918d8337c5a0c8cff972831799d6d40a5e3d67680f9e34334abfb5028db7cc
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last VersionFilesize
11B
MD5b29bcf9cd0e55f93000b4bb265a9810b
SHA1e662b8c98bd5eced29495dbe2a8f1930e3f714b8
SHA256f53ab2877a33ef4dbde62f23f0cbfb572924a80a3921f47fc080d680107064b4
SHA512e15f515e4177d38d6bb83a939a0a8f901ce64dffe45e635063161497d527fbddaf2b1261195fde90b72b4c3e64ac0a0500003faceffcc749471733c9e83eb011
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD50acf30f25f5b2b59b5b57f035207e1d0
SHA125e884466f2b85e78234f35cf4728acda274f7f1
SHA25623fa1ed1ea2ae149be804b403d8dc90e29e56c7aba5058e6b146ccc6c6340821
SHA512ad9ca0d3df0785ee7cd3b5de897735aabbe5c0e6d895d7753b0df483f76dc75848a2ab677c971b85fb959c25b8ae8f403c8189922780994a2db290509454936a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD59fcb2b0156c434f05d123ebb148ed11d
SHA1ef40ac6461198007b328f1f2b49523a9ebc9962e
SHA2565e7bde4758c98f4bc4c447533850d61447cf5bc0fe2afaec5527c9d5cb6fb99c
SHA51225844ed5a41f3c02046754f3d7c8e354efb43d98f9652cec24832e9d0fbbd2a4b43a55451e732ac9a0d01774f1fbf1b4508aa3e45b29ad15db3ac4411b9f3584
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdbFilesize
576KB
MD5e3ce8738ab0ec96b0656e6d0945ce2b7
SHA12286079e234c1968780cfea0458485de018d9667
SHA256df4f6ee9f9d54bee84506ccc9e5cc334da69fa34d5e213dc0b77f5195382dbb5
SHA512e01f40d07a42afe632540859b8e732c592ae90de1bbab10ecbaab912775be851fb32954a2e7b8640426c5342eed08f763483d510d5a14a695a5e3cc81de506b8
-
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XMLFilesize
9KB
MD57050d5ae8acfbe560fa11073fef8185d
SHA15bc38e77ff06785fe0aec5a345c4ccd15752560e
SHA256cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b
SHA512a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\KXAXPKLE\LNC[1].batFilesize
902KB
MD5602ac0bd731b2615933dde1442e96ff7
SHA1586be9b5bb086aa301eea7df5ee998390756b912
SHA25697c781dfaa813232a8d13f7dcdfd1490f355ab85823b2cd73b9dd259d3a1ad07
SHA512d5cee12b3c99cae442808c463636faa0f96cdae24d6caff13fd5e27a40f74ce58cd15f43430d5ebd15d968588d491dee17bb31b3f7c19ed7d55e2882a25d30eb
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RIWVQTI3\Peki_Spoofer_V4[1].exeFilesize
34KB
MD5b2378bf2012913426e94a6a884b90bfb
SHA1c82103a193313f632d5d780814ee351b195cdbd7
SHA25610c1d8366c9cf14636ad7851227ef5b4fbebd186629370d8d026887ef822acac
SHA512b87ef3393e93cf5f4687543e71cfd9bcafc1c75348ba1770bbdd1b4d7dfbb7cea5a20587cb2fb487f3cb5e1c1d2b601c4984a907a61d5ada0288815500743ef0
-
C:\Users\Admin\AppData\Roaming\vlc\ml.xspf.tmp5756Filesize
304B
MD5781602441469750c3219c8c38b515ed4
SHA1e885acd1cbd0b897ebcedbb145bef1c330f80595
SHA25681970dbe581373d14fbd451ac4b3f96e5f69b79645f1ee1ca715cff3af0bf20d
SHA5122b0a1717d96edb47bdf0ffeb250a5ec11f7d0638d3e0a62fbe48c064379b473ca88ffbececb32a72129d06c040b107834f1004ccda5f0f35b8c3588034786461
-
C:\Users\Admin\AppData\Roaming\vlc\vlc-qt-interface.ini.gq5756Filesize
566B
MD54ea1367f27c5dd040e00380aba496fb8
SHA1fdea497af21a5b71d07b8ba63cb57850a09b5488
SHA256fdadff037b1f4c8871c90ee38da329143fb34f059b7a83bd3fed08d7012e8fcf
SHA5125e7bb71727d3950517f17537578e8a40cc4129065770e26157bc009bd98ebf1962697f4cc70529c56260ea5ebbc0aba58a1ba9bf845308d30ad1b4e8c309d358
-
C:\Users\Admin\Downloads\Peki_V4.exe:Zone.IdentifierFilesize
26B
MD5fbccf14d504b7b2dbcb5a5bda75bd93b
SHA1d59fc84cdd5217c6cf74785703655f78da6b582b
SHA256eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
SHA512aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98
-
C:\Users\Admin\Downloads\Unconfirmed 25737.crdownloadFilesize
548KB
MD53d3e8bc1bd5265a4f35da0b594d60fbf
SHA127ae0bb3399f9178f272258a4a9153d5af6aea56
SHA2562ba3caaba8ddeae1e33ec188c3c4ae322b856b44e0caabeb8909c661c668e6e5
SHA512d41707d765f93b0790887a1351c72584356146c1d02e8fd1009739404d34b329d6abb538e1fd9f28161ed0e229a1259460655232676109f081cc14a0022f2b05
-
C:\Users\Public\Documents\desktop.iniFilesize
278B
MD5ec659b643b3dc5a57dafa797bbc83871
SHA11279184f609ae3d548d88ae02a586e341baa590e
SHA256b18f9a899844d82f60ff3a1ab7fc9efc4a7297d78c04bcda65362b7bce2c02a8
SHA512f9096ec72096b15629f3153908e2f51da316b68b754daef91728c8ae86fcc51bf540709d85166538e2766864d69f906b5a67dcb1b65ed78f2bdc49ba2f4d7c96
-
C:\Users\Public\Music\desktop.iniFilesize
380B
MD548f5ac70aaedafe403b362e41da1e1d6
SHA1d40e48c5d0ba5f764c2b8d064a4ff3c6b85d7719
SHA256f09a1312cd41aadc809249dc3a6f5d5318266b40fd74b9e714571419810131de
SHA512d2a2d5db0fcc41dcde5b0797f1c917d050b75e5ffdac5a09cefef3aa386ced22f94f2719d76eeb03d063d0d199b8cd1705b563b70f4334c4de01d1264b1a5dd2
-
C:\Users\Public\desktop.iniFilesize
174B
MD57220fad57a4b3d9d9755c51198cc0386
SHA1bd2d52d62d3e9810e1072cc5ca6285da5e5c3853
SHA2566de1a716b5c49541ebc9692b16efa6fdb75b18c2a210974f94f83dcfdf8800d7
SHA512e46df475a3e52535913ae369fe56a1230fa11656b6fe31cfd160302a56f599cde45841d10f5faa53ac4c7f2da4a1de34d362153c35dc47cf87a4a8358625b9bf
-
C:\Windows\INF\dr43.exeFilesize
702KB
MD56ab27eb6a486f4794145309ad0d18e91
SHA1e414a7523480637747d3913662baa341aeb6abbf
SHA256131af227a519d4daf8233fb5139fd7ae75f594673b91eac9f0c108b0bbe87b1e
SHA512ac6966c6792e821ba927f1207c247596f19057900ae8108841fa00aa1af8afa724bc9417b3bd5643d1656cafaedce5f001f3652722e364f9b104bfcd44ed7457
-
\??\pipe\crashpad_2772_YJKPBEUTNTYKMHQAMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/5756-1091-0x00007FFFD8050000-0x00007FFFD815E000-memory.dmpFilesize
1.1MB
-
memory/5756-1088-0x00007FF7BE520000-0x00007FF7BE618000-memory.dmpFilesize
992KB
-
memory/5756-1090-0x00007FFFD8810000-0x00007FFFD8AC6000-memory.dmpFilesize
2.7MB
-
memory/5756-1089-0x00007FFFEAB40000-0x00007FFFEAB74000-memory.dmpFilesize
208KB
-
memory/5756-1092-0x00007FFFD6FA0000-0x00007FFFD8050000-memory.dmpFilesize
16.7MB
-
memory/5944-1169-0x0000000007B00000-0x0000000007B10000-memory.dmpFilesize
64KB
-
memory/5944-1173-0x0000000007B00000-0x0000000007B10000-memory.dmpFilesize
64KB
-
memory/5944-1177-0x0000000007B00000-0x0000000007B10000-memory.dmpFilesize
64KB
-
memory/5944-1176-0x0000000007B00000-0x0000000007B10000-memory.dmpFilesize
64KB
-
memory/5944-1175-0x0000000007B00000-0x0000000007B10000-memory.dmpFilesize
64KB
-
memory/5944-1167-0x0000000007B00000-0x0000000007B10000-memory.dmpFilesize
64KB
-
memory/5944-1166-0x0000000007B00000-0x0000000007B10000-memory.dmpFilesize
64KB
-
memory/5944-1171-0x0000000007B00000-0x0000000007B10000-memory.dmpFilesize
64KB
-
memory/5944-1172-0x0000000007B00000-0x0000000007B10000-memory.dmpFilesize
64KB
-
memory/5944-1174-0x00000000059E0000-0x00000000059F0000-memory.dmpFilesize
64KB
-
memory/5944-1170-0x0000000007B00000-0x0000000007B10000-memory.dmpFilesize
64KB
-
memory/5944-1168-0x0000000007B00000-0x0000000007B10000-memory.dmpFilesize
64KB
-
memory/6120-1068-0x00007FFFD67B0000-0x00007FFFD68BE000-memory.dmpFilesize
1.1MB
-
memory/6120-1065-0x00007FFFF2C20000-0x00007FFFF2C54000-memory.dmpFilesize
208KB
-
memory/6120-1067-0x00007FFFD74D0000-0x00007FFFD8580000-memory.dmpFilesize
16.7MB
-
memory/6120-1066-0x00007FFFD89C0000-0x00007FFFD8C76000-memory.dmpFilesize
2.7MB
-
memory/6120-1064-0x00007FF7BE520000-0x00007FF7BE618000-memory.dmpFilesize
992KB