Analysis Overview
SHA256
c7e7b94a79439b71aa3b620b9d16e41ddcfafd90eece908a45416756c8fd3ac7
Threat Level: Known bad
The file Scoala-Nr-2.jpg was found to be: Known bad.
Malicious Activity Summary
PrivateLoader
Grants admin privileges
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Modifies system executable filetype association
Loads dropped DLL
Registers COM server for autorun
Executes dropped EXE
Themida packer
Checks BIOS information in registry
Enumerates connected drives
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Checks whether UAC is enabled
Checks system information in the registry
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Drops file in Windows directory
Drops file in Program Files directory
Program crash
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Creates scheduled task(s)
Uses Task Scheduler COM API
Modifies data under HKEY_USERS
Checks processor information in registry
NTFS ADS
Suspicious use of SetWindowsHookEx
Runs net.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of WriteProcessMemory
Delays execution with timeout.exe
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: EnumeratesProcesses
Suspicious use of SendNotifyMessage
Checks SCSI registry key(s)
Modifies registry class
Modifies system certificate store
Suspicious use of FindShellTrayWindow
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: LoadsDriver
Enumerates system info in registry
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-10 06:58
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-10 06:57
Reported
2024-05-10 07:05
Platform
win10-20240404-en
Max time kernel
424s
Max time network
406s
Command Line
Signatures
Grants admin privileges
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\ProgramData\software\ULEXPY.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\ProgramData\software\ULEXPY.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\ProgramData\software\ULEXPY.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\ProgramData\software\ULEXPY.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\Desktop\MAILIFY\MAILIFY.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\ProgramData\software\ULEXPY.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\Desktop\MAILIFY\MAILIFY.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\ProgramData\software\ULEXPY.exe | N/A |
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\ProgramData\software\ULEXPY.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\Desktop\MAILIFY\MAILIFY.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\ProgramData\software\ULEXPY.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\ProgramData\software\ULEXPY.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\ProgramData\software\ULEXPY.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\ProgramData\software\ULEXPY.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\ProgramData\software\ULEXPY.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\Desktop\MAILIFY\MAILIFY.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\ProgramData\software\ULEXPY.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\Desktop\MAILIFY\MAILIFY.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\ProgramData\software\ULEXPY.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\ProgramData\software\ULEXPY.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\Desktop\MAILIFY\MAILIFY.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\ProgramData\software\ULEXPY.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\ProgramData\software\ULEXPY.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\ProgramData\software\ULEXPY.exe | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Program Files\Process Hacker 2\ProcessHacker.exe | N/A |
| N/A | N/A | C:\Program Files\Process Hacker 2\ProcessHacker.exe | N/A |
| N/A | N/A | C:\Program Files\Process Hacker 2\ProcessHacker.exe | N/A |
| N/A | N/A | C:\Program Files\Process Hacker 2\ProcessHacker.exe | N/A |
| N/A | N/A | C:\Program Files\Process Hacker 2\ProcessHacker.exe | N/A |
| N/A | N/A | C:\Program Files\Process Hacker 2\ProcessHacker.exe | N/A |
| N/A | N/A | C:\Program Files\Process Hacker 2\ProcessHacker.exe | N/A |
| N/A | N/A | C:\Program Files\Process Hacker 2\ProcessHacker.exe | N/A |
| N/A | N/A | C:\Program Files\Process Hacker 2\ProcessHacker.exe | N/A |
| N/A | N/A | C:\Program Files\Process Hacker 2\ProcessHacker.exe | N/A |
| N/A | N/A | C:\Program Files\Process Hacker 2\ProcessHacker.exe | N/A |
| N/A | N/A | C:\Program Files\Process Hacker 2\ProcessHacker.exe | N/A |
Modifies system executable filetype association
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}" | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA} | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\ | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32 | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA} | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\ | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR | C:\Program Files\WinRAR\uninstall.exe | N/A |
Registers COM server for autorun
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32 | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32\ = "C:\\Program Files\\WinRAR\\rarext.dll" | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32\ThreadingModel = "Apartment" | C:\Program Files\WinRAR\uninstall.exe | N/A |
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks installed software on the system
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\ProgramData\software\ULEXPY.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\ProgramData\software\ULEXPY.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\ProgramData\software\ULEXPY.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\ProgramData\software\ULEXPY.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\ProgramData\software\ULEXPY.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\Desktop\MAILIFY\MAILIFY.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\ProgramData\software\ULEXPY.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\Desktop\MAILIFY\MAILIFY.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\F: | C:\Program Files\Process Hacker 2\ProcessHacker.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | bitbucket.org | N/A | N/A |
| N/A | bitbucket.org | N/A | N/A |
| N/A | bitbucket.org | N/A | N/A |
| N/A | bitbucket.org | N/A | N/A |
Checks system information in the registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer | C:\Program Files\Process Hacker 2\ProcessHacker.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName | C:\Program Files\Process Hacker 2\ProcessHacker.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\MAILIFY\MAILIFY.exe | N/A |
| N/A | N/A | C:\ProgramData\software\ULEXPY.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\MAILIFY\MAILIFY.exe | N/A |
| N/A | N/A | C:\ProgramData\software\ULEXPY.exe | N/A |
| N/A | N/A | C:\ProgramData\software\ULEXPY.exe | N/A |
| N/A | N/A | C:\ProgramData\software\ULEXPY.exe | N/A |
| N/A | N/A | C:\ProgramData\software\ULEXPY.exe | N/A |
| N/A | N/A | C:\ProgramData\software\ULEXPY.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\WinRAR\ReadMe.txt | C:\Users\Admin\AppData\Local\Temp\C61614~1\target.exe | N/A |
| File created | C:\Program Files\Process Hacker 2\is-FJ8DC.tmp | C:\Users\Admin\AppData\Local\Temp\is-186DU.tmp\processhacker-2.39-setup.tmp | N/A |
| File opened for modification | C:\Program Files\WinRAR\Zip32.SFX | C:\Users\Admin\AppData\Local\Temp\C61614~1\target.exe | N/A |
| File opened for modification | C:\Program Files\WinRAR\Resources.pri | C:\Users\Admin\AppData\Local\Temp\C61614~1\target.exe | N/A |
| File opened for modification | C:\Program Files\Process Hacker 2\x86\plugins\DotNetTools.dll | C:\Users\Admin\AppData\Local\Temp\is-186DU.tmp\processhacker-2.39-setup.tmp | N/A |
| File created | C:\Program Files\Process Hacker 2\is-08OSU.tmp | C:\Users\Admin\AppData\Local\Temp\is-186DU.tmp\processhacker-2.39-setup.tmp | N/A |
| File created | C:\Program Files\WinRAR\WinCon32.SFX | C:\Users\Admin\AppData\Local\Temp\C61614~1\target.exe | N/A |
| File created | C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-48.png | C:\Users\Admin\AppData\Local\Temp\C61614~1\target.exe | N/A |
| File opened for modification | C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-48.png | C:\Users\Admin\AppData\Local\Temp\C61614~1\target.exe | N/A |
| File opened for modification | C:\Program Files\WinRAR\RarFiles.lst | C:\Users\Admin\AppData\Local\Temp\C61614~1\target.exe | N/A |
| File opened for modification | C:\Program Files\WinRAR\WinRAR.chm | C:\Users\Admin\AppData\Local\Temp\C61614~1\target.exe | N/A |
| File opened for modification | C:\Program Files\WinRAR\RarExt32.dll | C:\Users\Admin\AppData\Local\Temp\C61614~1\target.exe | N/A |
| File created | C:\Program Files\Process Hacker 2\plugins\is-OJF5N.tmp | C:\Users\Admin\AppData\Local\Temp\is-186DU.tmp\processhacker-2.39-setup.tmp | N/A |
| File created | C:\Program Files\Process Hacker 2\is-VUG87.tmp | C:\Users\Admin\AppData\Local\Temp\is-186DU.tmp\processhacker-2.39-setup.tmp | N/A |
| File created | C:\Program Files\Process Hacker 2\plugins\is-LO54V.tmp | C:\Users\Admin\AppData\Local\Temp\is-186DU.tmp\processhacker-2.39-setup.tmp | N/A |
| File opened for modification | C:\Program Files\WinRAR | C:\Users\Admin\AppData\Local\Temp\C61614~1\target.exe | N/A |
| File created | C:\Program Files\WinRAR\Rar.txt | C:\Users\Admin\AppData\Local\Temp\C61614~1\target.exe | N/A |
| File created | C:\Program Files\WinRAR\UnRAR.exe | C:\Users\Admin\AppData\Local\Temp\C61614~1\target.exe | N/A |
| File opened for modification | C:\Program Files\WinRAR\WinCon32.SFX | C:\Users\Admin\AppData\Local\Temp\C61614~1\target.exe | N/A |
| File opened for modification | C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-32.png | C:\Users\Admin\AppData\Local\Temp\C61614~1\target.exe | N/A |
| File opened for modification | C:\Program Files\Process Hacker 2\ProcessHacker.exe | C:\Users\Admin\AppData\Local\Temp\is-186DU.tmp\processhacker-2.39-setup.tmp | N/A |
| File created | C:\Program Files\Process Hacker 2\plugins\is-DLMRJ.tmp | C:\Users\Admin\AppData\Local\Temp\is-186DU.tmp\processhacker-2.39-setup.tmp | N/A |
| File opened for modification | C:\Program Files\WinRAR\Descript.ion | C:\Users\Admin\AppData\Local\Temp\C61614~1\target.exe | N/A |
| File opened for modification | C:\Program Files\WinRAR\Order.htm | C:\Users\Admin\AppData\Local\Temp\C61614~1\target.exe | N/A |
| File created | C:\Program Files\WinRAR\Order.htm | C:\Users\Admin\AppData\Local\Temp\C61614~1\target.exe | N/A |
| File created | C:\Program Files\WinRAR\WinCon.SFX | C:\Users\Admin\AppData\Local\Temp\C61614~1\target.exe | N/A |
| File opened for modification | C:\Program Files\Process Hacker 2\plugins\HardwareDevices.dll | C:\Users\Admin\AppData\Local\Temp\is-186DU.tmp\processhacker-2.39-setup.tmp | N/A |
| File created | C:\Program Files\WinRAR\zipnew.dat | C:\Program Files\WinRAR\uninstall.exe | N/A |
| File opened for modification | C:\Program Files\Process Hacker 2\x86\ProcessHacker.exe | C:\Users\Admin\AppData\Local\Temp\is-186DU.tmp\processhacker-2.39-setup.tmp | N/A |
| File created | C:\Program Files\WinRAR\Descript.ion | C:\Users\Admin\AppData\Local\Temp\C61614~1\target.exe | N/A |
| File created | C:\Program Files\WinRAR\Uninstall.exe | C:\Users\Admin\AppData\Local\Temp\C61614~1\target.exe | N/A |
| File created | C:\Program Files\Process Hacker 2\plugins\is-DEPPS.tmp | C:\Users\Admin\AppData\Local\Temp\is-186DU.tmp\processhacker-2.39-setup.tmp | N/A |
| File opened for modification | C:\Program Files\WinRAR\Rar.exe | C:\Users\Admin\AppData\Local\Temp\C61614~1\target.exe | N/A |
| File opened for modification | C:\Program Files\WinRAR\Default32.SFX | C:\Users\Admin\AppData\Local\Temp\C61614~1\target.exe | N/A |
| File opened for modification | C:\Program Files\WinRAR\RarExtInstaller.exe | C:\Users\Admin\AppData\Local\Temp\C61614~1\target.exe | N/A |
| File opened for modification | C:\Program Files\Process Hacker 2\plugins\DotNetTools.dll | C:\Users\Admin\AppData\Local\Temp\is-186DU.tmp\processhacker-2.39-setup.tmp | N/A |
| File opened for modification | C:\Program Files\Process Hacker 2\plugins\ExtendedServices.dll | C:\Users\Admin\AppData\Local\Temp\is-186DU.tmp\processhacker-2.39-setup.tmp | N/A |
| File created | C:\Program Files\Process Hacker 2\plugins\is-4H058.tmp | C:\Users\Admin\AppData\Local\Temp\is-186DU.tmp\processhacker-2.39-setup.tmp | N/A |
| File opened for modification | C:\Program Files\WinRAR\Uninstall.lst | C:\Users\Admin\AppData\Local\Temp\C61614~1\target.exe | N/A |
| File created | C:\Program Files\WinRAR\WinRAR.chm | C:\Users\Admin\AppData\Local\Temp\C61614~1\target.exe | N/A |
| File created | C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-64.png | C:\Users\Admin\AppData\Local\Temp\C61614~1\target.exe | N/A |
| File opened for modification | C:\Program Files\Process Hacker 2\plugins\ExtendedTools.dll | C:\Users\Admin\AppData\Local\Temp\is-186DU.tmp\processhacker-2.39-setup.tmp | N/A |
| File opened for modification | C:\Program Files\Process Hacker 2\plugins\Updater.dll | C:\Users\Admin\AppData\Local\Temp\is-186DU.tmp\processhacker-2.39-setup.tmp | N/A |
| File opened for modification | C:\Program Files\WinRAR\Rar.txt | C:\Users\Admin\AppData\Local\Temp\C61614~1\target.exe | N/A |
| File created | C:\Program Files\WinRAR\Rar.exe | C:\Users\Admin\AppData\Local\Temp\C61614~1\target.exe | N/A |
| File opened for modification | C:\Program Files\WinRAR\UnRAR.exe | C:\Users\Admin\AppData\Local\Temp\C61614~1\target.exe | N/A |
| File created | C:\Program Files\WinRAR\RarExtPackage.msix | C:\Users\Admin\AppData\Local\Temp\C61614~1\target.exe | N/A |
| File created | C:\Program Files\Process Hacker 2\is-KC05H.tmp | C:\Users\Admin\AppData\Local\Temp\is-186DU.tmp\processhacker-2.39-setup.tmp | N/A |
| File created | C:\Program Files\Process Hacker 2\is-T1BUD.tmp | C:\Users\Admin\AppData\Local\Temp\is-186DU.tmp\processhacker-2.39-setup.tmp | N/A |
| File opened for modification | C:\Program Files\Process Hacker 2\plugins\OnlineChecks.dll | C:\Users\Admin\AppData\Local\Temp\is-186DU.tmp\processhacker-2.39-setup.tmp | N/A |
| File opened for modification | C:\Program Files\Process Hacker 2\plugins\ToolStatus.dll | C:\Users\Admin\AppData\Local\Temp\is-186DU.tmp\processhacker-2.39-setup.tmp | N/A |
| File created | C:\Program Files\Process Hacker 2\plugins\is-CKGEB.tmp | C:\Users\Admin\AppData\Local\Temp\is-186DU.tmp\processhacker-2.39-setup.tmp | N/A |
| File created | C:\Program Files\WinRAR\RarFiles.lst | C:\Users\Admin\AppData\Local\Temp\C61614~1\target.exe | N/A |
| File created | C:\Program Files\WinRAR\Default32.SFX | C:\Users\Admin\AppData\Local\Temp\C61614~1\target.exe | N/A |
| File created | C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-32.png | C:\Users\Admin\AppData\Local\Temp\C61614~1\target.exe | N/A |
| File created | C:\Program Files\WinRAR\Default.SFX | C:\Users\Admin\AppData\Local\Temp\C61614~1\target.exe | N/A |
| File opened for modification | C:\Program Files\Process Hacker 2\plugins\ExtendedNotifications.dll | C:\Users\Admin\AppData\Local\Temp\is-186DU.tmp\processhacker-2.39-setup.tmp | N/A |
| File opened for modification | C:\Program Files\Process Hacker 2\plugins\UserNotes.dll | C:\Users\Admin\AppData\Local\Temp\is-186DU.tmp\processhacker-2.39-setup.tmp | N/A |
| File created | C:\Program Files\Process Hacker 2\plugins\is-L9PC6.tmp | C:\Users\Admin\AppData\Local\Temp\is-186DU.tmp\processhacker-2.39-setup.tmp | N/A |
| File created | C:\Program Files\WinRAR\ReadMe.txt | C:\Users\Admin\AppData\Local\Temp\C61614~1\target.exe | N/A |
| File opened for modification | C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-64.png | C:\Users\Admin\AppData\Local\Temp\C61614~1\target.exe | N/A |
| File created | C:\Program Files\WinRAR\__tmp_rar_sfx_access_check_240660453 | C:\Users\Admin\AppData\Local\Temp\C61614~1\target.exe | N/A |
| File created | C:\Program Files\Process Hacker 2\plugins\is-UHE08.tmp | C:\Users\Admin\AppData\Local\Temp\is-186DU.tmp\processhacker-2.39-setup.tmp | N/A |
| File created | C:\Program Files\Process Hacker 2\is-VPGAJ.tmp | C:\Users\Admin\AppData\Local\Temp\is-186DU.tmp\processhacker-2.39-setup.tmp | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\rescache\_merged\4183903823\2290032291.pri | C:\Windows\system32\taskmgr.exe | N/A |
| File created | C:\Windows\rescache\_merged\1601268389\715946058.pri | C:\Windows\system32\taskmgr.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\ProgramData\software\ULEXPY.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceDesc | C:\Program Files\Process Hacker 2\ProcessHacker.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName | C:\Program Files\Process Hacker 2\ProcessHacker.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\LowerFilters | C:\Program Files\Process Hacker 2\ProcessHacker.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000\Control | C:\Program Files\Process Hacker 2\ProcessHacker.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_QEMU&PROD_HARDDISK\4&215468A5&0&000000\Control | C:\Program Files\Process Hacker 2\ProcessHacker.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc | C:\Program Files\Process Hacker 2\ProcessHacker.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\UpperFilters | C:\Program Files\Process Hacker 2\ProcessHacker.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\LowerFilters | C:\Program Files\Process Hacker 2\ProcessHacker.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_QEMU&PROD_HARDDISK\4&215468A5&0&000000\LogConf | C:\Program Files\Process Hacker 2\ProcessHacker.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Program Files\Process Hacker 2\ProcessHacker.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_QEMU&PROD_HARDDISK\4&215468A5&0&000000 | C:\Program Files\Process Hacker 2\ProcessHacker.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service | C:\Program Files\Process Hacker 2\ProcessHacker.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000\LogConf | C:\Program Files\Process Hacker 2\ProcessHacker.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags | C:\Program Files\Process Hacker 2\ProcessHacker.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Service | C:\Program Files\Process Hacker 2\ProcessHacker.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 | C:\Program Files\Process Hacker 2\ProcessHacker.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags | C:\Program Files\Process Hacker 2\ProcessHacker.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\UpperFilters | C:\Program Files\Process Hacker 2\ProcessHacker.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Process Hacker 2\ProcessHacker.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Process Hacker 2\ProcessHacker.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\WinRAR | C:\Users\Admin\AppData\Local\Temp\c499feb5-0e9a-11ef-a993-524829b8d7a9\Ninite.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\WinRAR\Interface\Misc\RemShown = "1" | C:\Users\Admin\AppData\Local\Temp\c499feb5-0e9a-11ef-a993-524829b8d7a9\Ninite.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "1" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\WinRAR\Interface\Misc | C:\Users\Admin\AppData\Local\Temp\c499feb5-0e9a-11ef-a993-524829b8d7a9\Ninite.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT | C:\Users\Admin\AppData\Local\Temp\c499feb5-0e9a-11ef-a993-524829b8d7a9\Ninite.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software | C:\Users\Admin\AppData\Local\Temp\c499feb5-0e9a-11ef-a993-524829b8d7a9\Ninite.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\WinRAR\Interface | C:\Users\Admin\AppData\Local\Temp\c499feb5-0e9a-11ef-a993-524829b8d7a9\Ninite.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent | C:\Windows\system32\LogonUI.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.tbz2 | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.001 | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\shell\open\command | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\ | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\DropHandler\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.bz | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\ | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\DefaultIcon | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings | C:\Program Files\Process Hacker 2\ProcessHacker.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\ContextMenuHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA} | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32 | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\ContextMenuHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA} | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.gz | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shell\open\command\ = "\"C:\\Program Files\\WinRAR\\WinRAR.exe\" \"%1\"" | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\DefaultIcon | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3 | C:\Program Files\Process Hacker 2\ProcessHacker.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\DragDropHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}" | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.rar\ShellNew | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.zip\ShellNew | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.lz\ = "WinRAR" | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shell\open\command | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shell | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\ | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\ContextMenuHandlers | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}" | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}" | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.tar | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\1\0 | C:\Program Files\Process Hacker 2\ProcessHacker.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\ = "RAR recovery volume" | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\DefaultIcon | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA} | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.zip | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.zip\ShellNew\FileName = "C:\\Program Files\\WinRAR\\zipnew.dat" | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.lzh | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.bz2 | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.rev\ = "WinRAR.REV" | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32\ = "C:\\Program Files\\WinRAR\\rarext.dll" | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.tgz | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.zipx | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\ = "WinRAR ZIP archive" | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\1\MRUListEx = 00000000ffffffff | C:\Program Files\Process Hacker 2\ProcessHacker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\1\0\NodeSlot = "3" | C:\Program Files\Process Hacker 2\ProcessHacker.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B41DB860-8EE4-11D2-9906-E49FADC173CA} | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\ContextMenuHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA} | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.tgz\ = "WinRAR" | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shell\open | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202 | C:\Program Files\Process Hacker 2\ProcessHacker.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA} | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\DropHandler\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}" | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.z\ = "WinRAR" | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags | C:\Program Files\Process Hacker 2\ProcessHacker.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\ContextMenuHandlers | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\ | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.rar\ShellNew\FileName = "C:\\Program Files\\WinRAR\\rarnew.dat" | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\shell\open | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\InProcServer32 | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\PropertySheetHandlers | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202 | C:\Program Files\Process Hacker 2\ProcessHacker.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e26030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e76200000001000000200000001465fa205397b876faa6f0a9958e5590e40fcc7faa4fb7c2c8677521fb5fb65809000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794 | C:\Users\Admin\Downloads\Ninite WinRAR Installer.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f | C:\Users\Admin\Downloads\Ninite WinRAR Installer.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 5c000000010000000400000000080000190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab040000000100000010000000c5dfb849ca051355ee2dba1ac33eb0282000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f | C:\Users\Admin\Downloads\Ninite WinRAR Installer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD | C:\Users\Admin\Downloads\Ninite WinRAR Installer.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 040000000100000010000000c5dfb849ca051355ee2dba1ac33eb0280f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f | C:\Users\Admin\Downloads\Ninite WinRAR Installer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A | C:\Users\Admin\Downloads\Ninite WinRAR Installer.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703016200000001000000200000001465fa205397b876faa6f0a9958e5590e40fcc7faa4fb7c2c8677521fb5fb658140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794 | C:\Users\Admin\Downloads\Ninite WinRAR Installer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD | C:\Users\Admin\Downloads\Ninite WinRAR Installer.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 0f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f | C:\Users\Admin\Downloads\Ninite WinRAR Installer.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\Downloads\Ninite WinRAR Installer.exe:Zone.Identifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\Temp\Rar$DRb3296.17924.rartemp\MAILIFY\MAILIFY.exe:Zone.Identifier | C:\Program Files\WinRAR\WinRAR.exe | N/A |
| File created | C:\Users\Admin\Downloads\processhacker-2.39-setup.exe:Zone.Identifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| File created | C:\Users\Admin\Downloads\MAILIFY.rar:Zone.Identifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\WinRAR\WinRAR.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Program Files\Process Hacker 2\ProcessHacker.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Scoala-Nr-2.jpg
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4376.0.627285904\149893314" -parentBuildID 20221007134813 -prefsHandle 1696 -prefMapHandle 1688 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {99c16d50-c85d-4aa7-92e3-2ce236664dd2} 4376 "\\.\pipe\gecko-crash-server-pipe.4376" 1776 1b8110d7558 gpu
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4376.1.1712121173\169869916" -parentBuildID 20221007134813 -prefsHandle 2104 -prefMapHandle 2100 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bfec865f-df12-43fe-bf3a-27b09359660f} 4376 "\\.\pipe\gecko-crash-server-pipe.4376" 2132 1b810ffcb58 socket
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4376.2.1045974253\425031885" -childID 1 -isForBrowser -prefsHandle 2896 -prefMapHandle 2856 -prefsLen 20931 -prefMapSize 233444 -jsInitHandle 1288 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {83d95637-6f42-4005-8b5c-a9c47d06628f} 4376 "\\.\pipe\gecko-crash-server-pipe.4376" 1540 1b815197458 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4376.3.1298140803\671320243" -childID 2 -isForBrowser -prefsHandle 3248 -prefMapHandle 3244 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1288 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {03a9c21c-eec1-4749-83f0-053816915cc0} 4376 "\\.\pipe\gecko-crash-server-pipe.4376" 3260 1b8137d9f58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4376.4.739706527\1913662260" -childID 3 -isForBrowser -prefsHandle 4208 -prefMapHandle 4204 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1288 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f61f42d6-aac2-425b-8d93-4e41e0e62b95} 4376 "\\.\pipe\gecko-crash-server-pipe.4376" 4228 1b813aa2458 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4376.5.1387591922\773516571" -childID 4 -isForBrowser -prefsHandle 4884 -prefMapHandle 4872 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1288 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d1533645-15b9-4e74-a511-919912f9de91} 4376 "\\.\pipe\gecko-crash-server-pipe.4376" 4836 1b817507958 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4376.6.37183384\1821493709" -childID 5 -isForBrowser -prefsHandle 4708 -prefMapHandle 4704 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1288 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {60361d9a-ff02-429a-8622-c57945627310} 4376 "\\.\pipe\gecko-crash-server-pipe.4376" 4924 1b8177d9858 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4376.7.835412683\45943948" -childID 6 -isForBrowser -prefsHandle 5060 -prefMapHandle 5064 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1288 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8cd27b42-c440-482e-84bf-dc9664ac6821} 4376 "\\.\pipe\gecko-crash-server-pipe.4376" 4836 1b8177da458 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4376.8.1640850598\551155849" -childID 7 -isForBrowser -prefsHandle 5892 -prefMapHandle 5904 -prefsLen 26543 -prefMapSize 233444 -jsInitHandle 1288 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e746c600-51a3-4bd2-ad57-d5267638425c} 4376 "\\.\pipe\gecko-crash-server-pipe.4376" 3032 1b87e66b858 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4376.9.2103680430\1181906936" -childID 8 -isForBrowser -prefsHandle 6044 -prefMapHandle 6048 -prefsLen 26543 -prefMapSize 233444 -jsInitHandle 1288 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b233505f-e85c-4aaf-a89c-c2775ad9a8b1} 4376 "\\.\pipe\gecko-crash-server-pipe.4376" 5580 1b818b2f158 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4376.10.1655690426\261993646" -childID 9 -isForBrowser -prefsHandle 6092 -prefMapHandle 6096 -prefsLen 26543 -prefMapSize 233444 -jsInitHandle 1288 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {488ea5ad-8c4b-4ec7-9f3c-10f35078f8f4} 4376 "\\.\pipe\gecko-crash-server-pipe.4376" 6252 1b8156b3258 tab
C:\Users\Admin\Downloads\Ninite WinRAR Installer.exe
"C:\Users\Admin\Downloads\Ninite WinRAR Installer.exe"
C:\Users\Admin\AppData\Local\Temp\c499feb5-0e9a-11ef-a993-524829b8d7a9\Ninite.exe
Ninite.exe "9bfdbfdc5bdac18d36123a99e9aae4666e511fbe" /fullpath "C:\Users\Admin\Downloads\Ninite WinRAR Installer.exe"
C:\Users\Admin\AppData\Local\Temp\c499feb5-0e9a-11ef-a993-524829b8d7a9\Ninite.exe
"C:\Users\Admin\AppData\Local\Temp\c499feb5-0e9a-11ef-a993-524829b8d7a9\Ninite.exe" /systemservice
C:\Users\Admin\AppData\Local\Temp\C61614~1\target.exe
"C:\Users\Admin\AppData\Local\Temp\C61614~1\target.exe" /S
C:\Windows\system32\ctfmon.exe
ctfmon.exe
C:\Program Files\WinRAR\uninstall.exe
"C:\Program Files\WinRAR\uninstall.exe" /setup
C:\Users\Admin\Downloads\Ninite WinRAR Installer.exe
"C:\Users\Admin\Downloads\Ninite WinRAR Installer.exe"
C:\Users\Admin\AppData\Local\Temp\d0b8ff4d-0e9a-11ef-a993-524829b8d7a9\Ninite.exe
Ninite.exe "9bfdbfdc5bdac18d36123a99e9aae4666e511fbe" /fullpath "C:\Users\Admin\Downloads\Ninite WinRAR Installer.exe"
C:\Users\Admin\AppData\Local\Temp\d0b8ff4d-0e9a-11ef-a993-524829b8d7a9\Ninite.exe
"C:\Users\Admin\AppData\Local\Temp\d0b8ff4d-0e9a-11ef-a993-524829b8d7a9\Ninite.exe" /systemservice
C:\Program Files\WinRAR\WinRAR.exe
"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\Admin\Downloads\MAILIFY.rar"
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Users\Admin\Desktop\MAILIFY\MAILIFY.exe
"C:\Users\Admin\Desktop\MAILIFY\MAILIFY.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\ProgramData'
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\s4e0.0.bat" "
C:\Windows\SysWOW64\timeout.exe
timeout 3
C:\ProgramData\software\ULEXPY.exe
"C:\ProgramData\software\ULEXPY.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\ProgramData'
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1280 -s 748
C:\Users\Admin\Desktop\MAILIFY\MAILIFY.exe
"C:\Users\Admin\Desktop\MAILIFY\MAILIFY.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\ProgramData'
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\s20o.0.bat" "
C:\Windows\SysWOW64\timeout.exe
timeout 3
C:\ProgramData\software\ULEXPY.exe
"C:\ProgramData\software\ULEXPY.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\ProgramData'
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /RL HIGHEST /tn "ULEXPY" /tr C:\ProgramData\software\ULEXPY.exe /f
C:\ProgramData\software\ULEXPY.exe
C:\ProgramData\software\ULEXPY.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\ProgramData'
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
C:\ProgramData\software\ULEXPY.exe
C:\ProgramData\software\ULEXPY.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\ProgramData'
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3852.0.969606117\968425784" -parentBuildID 20221007134813 -prefsHandle 1604 -prefMapHandle 1592 -prefsLen 21136 -prefMapSize 233583 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5fa1b6fd-586c-4c05-ad01-aedd6274205c} 3852 "\\.\pipe\gecko-crash-server-pipe.3852" 1696 1fae41e7358 gpu
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3852.1.889234674\1171348546" -parentBuildID 20221007134813 -prefsHandle 1988 -prefMapHandle 1984 -prefsLen 21181 -prefMapSize 233583 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0c0e17ec-7503-44fa-8fe2-0b6c80e0832b} 3852 "\\.\pipe\gecko-crash-server-pipe.3852" 2004 1fad90dcd58 socket
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3852.2.1276195620\714054109" -childID 1 -isForBrowser -prefsHandle 2864 -prefMapHandle 2860 -prefsLen 21642 -prefMapSize 233583 -jsInitHandle 996 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9d4eb446-8434-43fa-9137-29079dffc21a} 3852 "\\.\pipe\gecko-crash-server-pipe.3852" 2876 1fae7e83658 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3852.3.1065047521\1067088614" -childID 2 -isForBrowser -prefsHandle 3380 -prefMapHandle 3376 -prefsLen 26820 -prefMapSize 233583 -jsInitHandle 996 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bbab6de6-0f3d-4e8f-9d5a-047a9741be7d} 3852 "\\.\pipe\gecko-crash-server-pipe.3852" 3392 1fad9061958 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3852.4.661046463\250817773" -childID 3 -isForBrowser -prefsHandle 4036 -prefMapHandle 4024 -prefsLen 26820 -prefMapSize 233583 -jsInitHandle 996 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1037ceee-d4fc-4b60-9805-a0bb624cd7b7} 3852 "\\.\pipe\gecko-crash-server-pipe.3852" 4060 1faea75d558 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3852.5.2048810291\1673666024" -childID 4 -isForBrowser -prefsHandle 4420 -prefMapHandle 4492 -prefsLen 26820 -prefMapSize 233583 -jsInitHandle 996 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1df12d55-ff28-4075-880b-abcd23012821} 3852 "\\.\pipe\gecko-crash-server-pipe.3852" 4460 1fae9423f58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3852.6.585933377\1868512470" -childID 5 -isForBrowser -prefsHandle 4664 -prefMapHandle 4668 -prefsLen 26820 -prefMapSize 233583 -jsInitHandle 996 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5cb1530d-993f-499b-a8db-d55c429f2b47} 3852 "\\.\pipe\gecko-crash-server-pipe.3852" 4656 1faeae48358 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3852.7.246747245\1154425712" -childID 6 -isForBrowser -prefsHandle 4868 -prefMapHandle 4648 -prefsLen 26820 -prefMapSize 233583 -jsInitHandle 996 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {31868154-3797-4bc7-9e4a-584dcc21b580} 3852 "\\.\pipe\gecko-crash-server-pipe.3852" 4856 1faeb76a258 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3852.8.212621659\76929018" -childID 7 -isForBrowser -prefsHandle 5288 -prefMapHandle 5284 -prefsLen 26820 -prefMapSize 233583 -jsInitHandle 996 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {42bdc10d-fa72-4dc7-9859-636dabebd54d} 3852 "\\.\pipe\gecko-crash-server-pipe.3852" 5296 1faec36b358 tab
C:\Users\Admin\Downloads\processhacker-2.39-setup.exe
"C:\Users\Admin\Downloads\processhacker-2.39-setup.exe"
C:\Users\Admin\AppData\Local\Temp\is-186DU.tmp\processhacker-2.39-setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-186DU.tmp\processhacker-2.39-setup.tmp" /SL5="$70546,1874675,150016,C:\Users\Admin\Downloads\processhacker-2.39-setup.exe"
C:\Program Files\Process Hacker 2\ProcessHacker.exe
"C:\Program Files\Process Hacker 2\ProcessHacker.exe"
C:\ProgramData\software\ULEXPY.exe
C:\ProgramData\software\ULEXPY.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\ProgramData'
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
C:\ProgramData\software\ULEXPY.exe
C:\ProgramData\software\ULEXPY.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\ProgramData'
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /RL HIGHEST /tn "ULEXPY" /tr C:\ProgramData\software\ULEXPY.exe /f
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
C:\Windows\system32\net.exe
net user bar /add
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user bar /add
C:\Windows\system32\net.exe
net localgroup administrators bar /add
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup administrators bar /add
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39c6055 /state1:0x41c64e6d
C:\ProgramData\software\ULEXPY.exe
C:\ProgramData\software\ULEXPY.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
Network
| Country | Destination | Domain | Proto |
| N/A | 127.0.0.1:49762 | tcp | |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | content-signature-2.cdn.mozilla.net | udp |
| US | 34.117.188.166:443 | contile.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 34.160.144.191:443 | content-signature-2.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | shavar.services.mozilla.com | udp |
| US | 44.233.67.78:443 | shavar.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | push.services.mozilla.com | udp |
| US | 8.8.8.8:53 | firefox.settings.services.mozilla.com | udp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 34.117.188.166:443 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | autopush.prod.mozaws.net | udp |
| US | 34.149.100.209:443 | firefox.settings.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | autopush.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 34.107.243.93:443 | autopush.prod.mozaws.net | tcp |
| US | 8.8.8.8:53 | 166.188.117.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 78.67.233.44.in-addr.arpa | udp |
| N/A | 127.0.0.1:49768 | tcp | |
| US | 8.8.8.8:53 | gg.gg | udp |
| RU | 91.215.42.31:80 | gg.gg | tcp |
| RU | 91.215.42.31:80 | gg.gg | tcp |
| US | 8.8.8.8:53 | gg.gg | udp |
| US | 8.8.8.8:53 | gg.gg | udp |
| US | 8.8.8.8:53 | cutt.ly | udp |
| US | 172.67.8.238:443 | cutt.ly | tcp |
| US | 8.8.8.8:53 | cutt.ly | udp |
| US | 8.8.8.8:53 | cutt.ly | udp |
| US | 8.8.8.8:53 | 238.8.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.42.215.91.in-addr.arpa | udp |
| US | 172.67.8.238:443 | cutt.ly | udp |
| US | 8.8.8.8:53 | bitbucket.org | udp |
| AU | 104.192.141.1:443 | bitbucket.org | tcp |
| US | 8.8.8.8:53 | bitbucket.org | udp |
| US | 8.8.8.8:53 | bitbucket.org | udp |
| US | 8.8.8.8:53 | bbuseruploads.s3.amazonaws.com | udp |
| US | 54.231.199.17:443 | bbuseruploads.s3.amazonaws.com | tcp |
| US | 8.8.8.8:53 | s3-w.us-east-1.amazonaws.com | udp |
| US | 8.8.8.8:53 | s3-w.us-east-1.amazonaws.com | udp |
| US | 8.8.8.8:53 | 1.141.192.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.199.231.54.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ninite.com | udp |
| GB | 143.204.194.55:80 | ninite.com | tcp |
| GB | 143.204.194.55:80 | ninite.com | tcp |
| US | 8.8.8.8:53 | ninite.com | udp |
| US | 8.8.8.8:53 | ninite.com | udp |
| GB | 143.204.194.55:443 | ninite.com | tcp |
| GB | 143.204.194.55:443 | ninite.com | udp |
| US | 8.8.8.8:53 | 55.194.204.143.in-addr.arpa | udp |
| US | 34.149.100.209:443 | prod.remote-settings.prod.webservices.mozgcp.net | tcp |
| US | 8.8.8.8:53 | connect.facebook.net | udp |
| US | 8.8.8.8:53 | platform.twitter.com | udp |
| PL | 93.184.220.66:443 | platform.twitter.com | tcp |
| US | 8.8.8.8:53 | cs41.wac.edgecastcdn.net | udp |
| GB | 163.70.151.21:443 | connect.facebook.net | tcp |
| US | 8.8.8.8:53 | scontent.xx.fbcdn.net | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | cs41.wac.edgecastcdn.net | udp |
| US | 8.8.8.8:53 | scontent.xx.fbcdn.net | udp |
| GB | 163.70.151.21:443 | scontent.xx.fbcdn.net | udp |
| GB | 163.70.151.21:443 | scontent.xx.fbcdn.net | tcp |
| US | 8.8.8.8:53 | syndication.twitter.com | udp |
| US | 104.244.42.72:443 | syndication.twitter.com | tcp |
| US | 8.8.8.8:53 | syndication.twitter.com | udp |
| US | 8.8.8.8:53 | www.facebook.com | udp |
| US | 8.8.8.8:53 | syndication.twitter.com | udp |
| GB | 163.70.151.35:443 | www.facebook.com | tcp |
| US | 8.8.8.8:53 | star-mini.c10r.facebook.com | udp |
| US | 8.8.8.8:53 | 21.151.70.163.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 66.220.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.42.244.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | star-mini.c10r.facebook.com | udp |
| GB | 163.70.151.35:443 | star-mini.c10r.facebook.com | udp |
| US | 8.8.8.8:53 | 35.151.70.163.in-addr.arpa | udp |
| GB | 143.204.194.55:443 | ninite.com | tcp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 12.178.204.143.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 113.216.138.108.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 226.20.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 226.21.18.104.in-addr.arpa | udp |
| GB | 143.204.194.55:443 | ninite.com | tcp |
| US | 8.8.8.8:53 | www.rarlab.com | udp |
| DE | 51.195.68.162:443 | www.rarlab.com | tcp |
| US | 8.8.8.8:53 | 162.68.195.51.in-addr.arpa | udp |
| DE | 51.195.68.162:443 | www.rarlab.com | tcp |
| DE | 51.195.68.162:443 | www.rarlab.com | tcp |
| DE | 51.195.68.162:443 | www.rarlab.com | tcp |
| DE | 51.195.68.162:443 | www.rarlab.com | tcp |
| US | 8.8.8.8:53 | 11.97.55.23.in-addr.arpa | udp |
| GB | 143.204.194.55:443 | ninite.com | tcp |
| GB | 143.204.194.55:443 | ninite.com | tcp |
| US | 8.8.8.8:53 | 71.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.173.189.20.in-addr.arpa | udp |
| US | 138.91.171.81:80 | tcp | |
| US | 8.8.8.8:53 | 239.249.30.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 34.117.188.166:443 | contile.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| N/A | 127.0.0.1:53217 | tcp | |
| N/A | 127.0.0.1:53228 | tcp | |
| US | 8.8.8.8:53 | picteon.dev | udp |
| US | 172.67.181.154:80 | picteon.dev | tcp |
| US | 172.67.181.154:80 | picteon.dev | tcp |
| US | 8.8.8.8:53 | picteon.dev | udp |
| US | 8.8.8.8:53 | picteon.dev | udp |
| US | 172.67.181.154:443 | picteon.dev | tcp |
| US | 172.67.181.154:443 | picteon.dev | udp |
| US | 8.8.8.8:53 | 154.181.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | wj32.org | udp |
| US | 162.243.25.33:443 | wj32.org | tcp |
| US | 8.8.8.8:53 | processhacker.sourceforge.net | udp |
| US | 104.18.12.149:80 | processhacker.sourceforge.net | tcp |
| US | 104.18.12.149:443 | processhacker.sourceforge.net | tcp |
| US | 8.8.8.8:53 | processhacker.sourceforge.io | udp |
| US | 104.18.10.31:443 | processhacker.sourceforge.io | tcp |
| US | 8.8.8.8:53 | 149.12.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.10.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 166.188.117.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.181.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.12.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.10.18.104.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\datareporting\glean\db\data.safe.bin
| MD5 | 3c85f076b51faa4da1a5a4439f9de262 |
| SHA1 | ce18ca7f291bcf4d91d13c5c5bf8bbf4d571d06b |
| SHA256 | be091693540100bfc75c0cd74ad11bac3b6ce254496b73fe5383a9e06bc3982e |
| SHA512 | 852625bfff22573873252939dc361af867c6c0c14ca7ce7ed907fb2969e97fcd5a1dd9a3097287a560ebd2052f81a7c8834df981366e3502e327bbb1b6bfabb0 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\datareporting\glean\pending_pings\5049ffc0-9c7c-4b9b-9abc-e51ee93a9444
| MD5 | 42dd38a311f22261351b65623f723028 |
| SHA1 | db0e97696e6f83726b29b0c9094cfbd62ae50ada |
| SHA256 | e78ce2d040ce9b2a4c064228bdc4961d4511a86c39777a47c8f961dc27c6c85c |
| SHA512 | d8d2526a7363585133a627ccd5e9ffb881607273c05de9d1c510e6f1ec8246b9523fa844decbb5e31445be2d850e614e51585a1c6f60a44e2dbd0e05f6029411 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\datareporting\glean\pending_pings\c97d00c8-464d-42e2-a024-422529ea4e72
| MD5 | 798caa04c100c1d525efb430e48ba235 |
| SHA1 | 40c7059999758004d12120bf14344149eef0873a |
| SHA256 | 79a0d0dfec99637fdfccf4aaf2d9fa85977e2967d6fddca9779da2be526d078e |
| SHA512 | 324ec07d9d90bbb1fe10aaa191e530a3cc528c2d14c56b5e742d4ad0d36acb04e6d8fbede5eef82947adbb2aa634eea309c2655473de70ab877aeaee2573cfbc |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\prefs.js
| MD5 | 58f60148e4d61828b777e75506e53689 |
| SHA1 | 13ff6ee6a19740da3401a1419803f54c3e773a16 |
| SHA256 | 7b28cdd32011be8a96b2b74611838ce659e810aa65f57b01a5771bd118a88ff1 |
| SHA512 | 003fb201160c1661225201c0d0889a89ea560bb56ee013ec289a4eb992dde69c96369706d46994dce0e1d568e1c4f42e1ca20df75b675c2667210e3fb0f88f6a |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\prefs.js
| MD5 | a11375519af1d5e81e73760bb79b6d66 |
| SHA1 | afe68913c0cbe153dcd3bf77246733a6d8568e63 |
| SHA256 | af6aae03d18b92939848994d241dbed4dd719ccdb1a16733f149f67ae4c98620 |
| SHA512 | 61316df3784fc60ddfa5ed6068785ed81cb0d9d1fef507dbcc0d9aabbec342281a7405847463623aa05ba107d2ad2302cca442e2dd65276481f68e1be7edf3da |
C:\Users\Admin\Downloads\MAILIFY.oTWK1IEH.rar.part
| MD5 | 633bdcc598aa26acb2c932e552d37162 |
| SHA1 | 0c5418572c9b96d4e5fdb186578372260c0bc8e9 |
| SHA256 | 0cd3fc195806d19ae409d24c6f74fa9a2da91aa0d7687ec71ebcafc0ebab41b4 |
| SHA512 | 0fa34b82e68b01aaa7b80a7fa351f2e296bb819de07c8aa434af957b34a76fa50f41d55164c5b96ccdd9543cab2a7789c8be32f1a0a0ce7d610f66c26d5141ac |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\prefs-1.js
| MD5 | 9f273b539fdcdcc823ad84d0724d2b41 |
| SHA1 | e6e3c6b56577f004eaf89eef0bf0b1a8c0ed2185 |
| SHA256 | ba246a3456cfb088a9ed3116e8ad9d5874ba6f560f2c4808057613701756ab0f |
| SHA512 | c7110d22a35c258f39c2fdcd418e1008189aa0bee13270dc3456c7069ba696040dcb1765c851a56af57244da1ba9e28d2ec99a55c8fd2ad8e40beb458d2d7d6a |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | c7107803f9801d75c82196092c04b95d |
| SHA1 | 0d18fe97e4ab873feca00fb31eb7b9619942abd2 |
| SHA256 | f1a06ad06ed72d9bca91fdd84b5805f2030b623b900db8a86f88c240d62a019a |
| SHA512 | aed898c8d3ba532d8b8c05e2a1b597a1e867a2a170590d19586a9c8fc3b80c81ef4b95cfa429e3b7648722e67499650cc4b87755f4640bfe3b7c83ebe86b26a0 |
C:\Users\Admin\Downloads\Ninite WinRAR Installer.0Eo5hMEH.exe.part
| MD5 | 4c0f0553293b19eef2d3339dd1c14496 |
| SHA1 | cf9e23756ce42c46b97cfdfe605fe1df946b4059 |
| SHA256 | b6fc0d3f411eb56a3e339598d4b4fdcb763c70f44987e657500bf9042cbd8bac |
| SHA512 | 074a93fd2fc33f3d9ce6908323d6a4bf23b04c11f44fb6864f87f3131b642ce39680f6c9ee961639aae55566c17308e83d403d11c0bee22f3783a2f087099ec9 |
C:\Users\Admin\Downloads\Ninite WinRAR Installer.exe
| MD5 | bc4d5a61008f1571113d28a6eee19480 |
| SHA1 | 820e9236418609df7c89f2eedbb687bbe7b6ea45 |
| SHA256 | 375073ea7f64a19b61a3411de2acf22a5e9aa0d09418eefc05182fa9af885626 |
| SHA512 | c11bb721e2ad5cc6da364d44f1754255c5fa577c708b16e59c96671dff2bfb0c961fce83a6e935c63c766d314dd514cb76d03243333c739afcb9b887c9c53ab6 |
C:\Users\Admin\AppData\Local\Temp\c499feb5-0e9a-11ef-a993-524829b8d7a9\Ninite.exe
| MD5 | f1db4fe1d4559183cd1b35a257c970cc |
| SHA1 | 57d3904540930c3ebf80f30b6b6097bd055b6940 |
| SHA256 | a5f912ccbde324b7c5f5d81076ccda813b2d80d311f4c854d358b85b02094d56 |
| SHA512 | 7ca2546d31b88d701d195adf62e10209f3216033692348b4f8ff54e254baca7c1e72dfbae66ccd5e684cf53900cbed3f5a05ddc24adb251ce752541fb1f56c69 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62
| MD5 | 6c21e0b32f9ed1928f577b2f80d26947 |
| SHA1 | eeafe1b6bd6f815c84a5551e2ad44522fab867a0 |
| SHA256 | 47ba6e041170bdca926f57e216789122827b5501f48888a00baa3fc6ba5c25f5 |
| SHA512 | 7403c2150ff7fe1abc3ec87380498d2700b858dcc9eb1b053f870fe3e088a8293cb23d665d1e9c3966e33841ee0ab1b69254a90954b08a598e830ccc59b8ac01 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62
| MD5 | 33f6609037d194995ded6f1d72bbb86f |
| SHA1 | bce2aac93a4d11962bfc2571f213ce0de75fe9bf |
| SHA256 | f812282b0dab36f6628bce1f262272458e8dab21155802c16bd6c624e1030bd0 |
| SHA512 | 08c5032166e1ccbe7395adbf736f48971017a0f93f9e3865f66959feea794f4547e88ed88e01c08848578551851ce447353dc0cce6a12de9fbba19e7935de0d5 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894
| MD5 | c28092791d6ccfa8c15cefc3b349aa7e |
| SHA1 | 94748ad1e596774296406bb62f550264976afd05 |
| SHA256 | a7b49baa520c6d7dd3d635b58e7a6df4d4c34f472e53f00cd7afe81818b1fdb7 |
| SHA512 | db4db4e3cbb33bd7196d4f351a5fbe9fe87543d8ee55cb4856256ff4add8bd8bb0e540cf1034e2e680a9359ee1fe06ea074e487203e9484f15a17ce834dbb1f4 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\75CA58072B9926F763A91F0CC2798706_645BC4A49DCDC40FE5917FA45C6D4517
| MD5 | 79e6b6f575b1c8d241cf6093fc5f7404 |
| SHA1 | 539ec5f92e25b35da76e8c24a4c80273389ac2fb |
| SHA256 | 1ba17e67487a43dd2e91a3774eb2060521abad84a3616026c255ae327ed1ee3e |
| SHA512 | 884bac9690790e438e80d1f86a64104919f44540dbec0813d78d4a9404dee02d30a2365e20a373c54ceaf0350a6fbb33cc84467fa8c6cb0f81f20046c3ec3b50 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\75CA58072B9926F763A91F0CC2798706_645BC4A49DCDC40FE5917FA45C6D4517
| MD5 | 2be0823235209a917e16051abcb4e090 |
| SHA1 | b2ce00ad117c73bea0170d41b7b12a0171ae62db |
| SHA256 | 380c01443fb2efd38fcb2ea2f9643d22dac7bd10cb691ce6da267185efe815a7 |
| SHA512 | f49b06cee3ecbe268b6a6526ea5d990baa7cc6ef4e6e307b3160ef2161a15adc35f2445893d9b5b78c7b55988039bebb1328a53ec819776c24b64ea3b6a6723d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894
| MD5 | 3d3fac295bc9da43cf0a1b5ee222fe32 |
| SHA1 | 397bd04df40ac35ed28db17113894f90a75a56b5 |
| SHA256 | a871e42808bbada8dc11c3a2a7ed02b12b83e67da0b66607a3c10ea9df8b317c |
| SHA512 | b4fe6a7c36ad6f3db067b4e7f2c3e560ec83a52b5164cbd48f1ff423e4abe806e85c9aa0d0693845fde8e6ae27b3b85570cf9dc1d8f359c962fa3a95af93873b |
C:\Users\Admin\AppData\Local\Temp\C61614~1\target.exe
| MD5 | fc7776eec30751e169e1089bc2a4c478 |
| SHA1 | 99cdb78719ca97c7351aa75f1566224396d9033b |
| SHA256 | 426b7b38ca6de20f1f6535d2fa63c16e11780c7cd5f2ebc66ff9a0022e246e83 |
| SHA512 | bc94f526d4dd751a44071dd6f540f2957d96f5c6500d7e5bb41ec6581bb0a584a6bb91fe13f7a1d9c7749c4601b1fe95f2a12a204b73bdc9a37c83cff7ac35c3 |
C:\Program Files\WinRAR\uninstall.exe
| MD5 | 3b9751d170e92bedba4a258ee07c1337 |
| SHA1 | 177e754ab15d2f9cec2814387141f953d4202a3a |
| SHA256 | 4a851f3e9db0400ab4eeb7f61a7e79c44d3847f6f27fdd0b6c293ff78bad70ed |
| SHA512 | b3af0e96f87af6b1031c29dd180d354229ac1064ac9eb63d3e957a8f01b4332f0f9356b9e32d1cc153cb58727fd04cfa610b98f3e6107917f6d49c6cc52ee6dc |
C:\Program Files\WinRAR\WinRAR.exe
| MD5 | e95e38c00b5a74f5fd31cd743d2449ce |
| SHA1 | 15035d9f218a4629a8449829eba85b40806f4f59 |
| SHA256 | b5268f32fb72dfcfc1109c4a305d3a4bac11a5815123659cd345b24dee0854eb |
| SHA512 | 934783173a61caa88d353708789b518aa7630d94ccdbc503b26db4309d54f5ede2fb897ec69a0e1aea6ea6f29f4a5ce9bc845c31c35530a65bf33fd829636d4f |
C:\Program Files\WinRAR\WhatsNew.txt
| MD5 | 2b9e0d72411ef328313c0c703d76854c |
| SHA1 | 6f52c400fb211181985cd28330a173b74af0a685 |
| SHA256 | c13db7e2b3fb2430a10abf78efcc2a6fb0ca1dd7d18c9d7b28c09a41238d7157 |
| SHA512 | ce71a9a84ac9f4da74bda7653a150a8b950e5da95cd708de266fb33506054aafd12b35ac3d28e0569f3c298967db4a3c5581d184a3d320bed6122bea1e1cc741 |
C:\Program Files\WinRAR\Rar.txt
| MD5 | fc13e375f3144a55adfb46f342778447 |
| SHA1 | f2e716a60f6371eeba55fbcc90c3b8b7c14eb4a4 |
| SHA256 | 7511c100daa946175efc18082d1923518bf1bfc8c1a80ea0252af585fbe295b5 |
| SHA512 | 8ca4a0ecc0d55d29a8ff291afb8cdffbf4a949d0979ffe2e262465db8e8c7dc30837a4ea17c163fea1902ed0bebb5a937eafc179d25f6ce1fc747f6309181e40 |
C:\Program Files\WinRAR\WinRAR.chm
| MD5 | 9a61f439dc229638f26846c69183043a |
| SHA1 | f35c4c41272311853833b71cec963fd92637638f |
| SHA256 | 0879cdd9d81b1cb319692dde76bf3a3c16369ddc33f006ffb199ed08d57bfa18 |
| SHA512 | 0da8117c3040b7d9fcca29e424612176603880a3c1985d45d8b7ec90ef2349dc910b89aa539b69b6d35e786553194b8e510e928a5fbeaf4450d5ad5ee40f3416 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\prefs-1.js
| MD5 | bd685a4508d7b26662f7ce45fd82caa6 |
| SHA1 | 2d9b34a8e2206896d36b8a5af76c0c9fdc5126aa |
| SHA256 | d06e7362299b2b02854cd2b0b9ba1cf24f09588b945e9ac2d4a39bbd91b4c660 |
| SHA512 | 38d013a786cffb04adede27b51ce6487abfa12ae96819e9e84576bded4c7c956c258831a7a63c24f3d43e5584094be54f6f72c1b00598debccc54bb9429ed34b |
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinRAR\WinRAR.lnk
| MD5 | 1e86bdc40d9af9299241f1729f7eefb6 |
| SHA1 | 098f5539411ae6f89d652aa97503baa21dd18ae1 |
| SHA256 | d6d9f88f749eb92617994ca056b55c40618402040cc09a8bae46bac39ecd5775 |
| SHA512 | cd4848c71f60204083949ebb0c75670a772caf4436aba46a626c4352bdb0139da8f054f8f4befacb24d2eec373ba73b6b95c0edd694171d32488bf50f9c65add |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | 6203f393416544ce39cc82d83c5c8903 |
| SHA1 | 4de46588bda9f4446684eab2d248987dc38dad24 |
| SHA256 | ab92dac4fc991b2701d262329cdb375574c971411c0cf088d8f1caf49cc9c280 |
| SHA512 | 0d7fda1d66cbd852d036fd02d8dbf3f084c3f8af104640caf1f4032404782e34b2f801dc74f0fc37baf5894c13d5847fac8929fec16c58c810cfefa2aae57034 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9CB4373A4252DE8D2212929836304EC5_6C354C532D063DF5607A63BA827F5164
| MD5 | 294620e1c9dd591556259f3ba58943c0 |
| SHA1 | 2b41aeafee3b624b84db4d5fc1a6a9f88aff9722 |
| SHA256 | a6437e948dfb421608e01ad444ec904c85781582112e4abb68d5c1badffce4ae |
| SHA512 | c457bcdabe312b647a00bc3ae07d0a84f2015f561194e0ef5fd57abee1bdb7881ebef81059a14c4d204dc07a3b93d1d84ccd5b7e6cbd67cfabb8f29f6c0904fa |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A1D627669EFC8CD4F21BCF387D97F9B5_BCCFCBC66B448214318C9391CA0E275F
| MD5 | 14377267287fcfe35947438dca434aee |
| SHA1 | 6f4c7e551f72622ce1a0728cfc8b7e9c45e44fb9 |
| SHA256 | 83489f723b9fe3dfc49b489f8c6afda20b3cd099a202562e7defc5cd2c833f03 |
| SHA512 | cbc4db6378ab1168b7f2ae2a246098f703a3451c637aec5198357b8ade7c9320f6e6ad76322f5fc20b8c7ca347259675155d985df5670da781e14c78a14c4b46 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A1D627669EFC8CD4F21BCF387D97F9B5_BCCFCBC66B448214318C9391CA0E275F
| MD5 | 942cd91b1efb67c72a43567617d62442 |
| SHA1 | 8503e3d476a14760e22be74dd1f6b3ffdb4673ad |
| SHA256 | c417f9fd9fbb886a9fc76f1e462760f3e6409fb988ee4d5131e81571924c040f |
| SHA512 | 4a2de6da8183d699ac03ed13c696a5330a57325bcd9180bc3674ee9bb139a91fd98544b54d7a077bec6ddefff00ed7a4491d14c44353c105d4f1f9215074169d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9CB4373A4252DE8D2212929836304EC5_6C354C532D063DF5607A63BA827F5164
| MD5 | 724492af4ec732950ec00b1f3a9e03a1 |
| SHA1 | c348f02eccffb55e5af24c2a8e109e15a51cb9ac |
| SHA256 | af962df059535dcc5d842159d232edd2bbcb6feb9ea9cf0f756c9845d17e6f6a |
| SHA512 | 381fbb8b5204caa662e58a9d871d974d024c5e3aea024a8dbc9d64c8b2ae0f16a070fb57200c71c2fc033f34375cca2ec997640c374dfb1001f84d42bfe60f6a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B039FEA45CB4CC4BBACFC013C7C55604_50385F8EB1F713E33924A830D7A2A41C
| MD5 | 4e61a495db4f8328f91cd33e7f908c34 |
| SHA1 | 3424ee78e533d29b56f3af2a57843bc7f1e25550 |
| SHA256 | 8691c419608d318ad31515c19ff952a9337e00f27c7c67c1170d5e2a73d2cbb8 |
| SHA512 | 2543b9f4553b0b5951185763d2256387a81efd455b3b865ddd939d1f87668f45701ff0956441fc791a52d4af269b7b13909f758ab2d2957b32ed78fcbf21ff8c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B039FEA45CB4CC4BBACFC013C7C55604_50385F8EB1F713E33924A830D7A2A41C
| MD5 | 7b1f66659a386bd21cb1401903f7f299 |
| SHA1 | 841e982164be85d667d03df1bf0180bdf0500cd2 |
| SHA256 | b19faba35ec668ed0a47e2cb6c71bf33e956be6efd61cb31f55e1cb473205e62 |
| SHA512 | 1f9a8517ff92d8bfecd64e2eda8ab9ebc30638358515aa9b228fcd3bbfef4bc65437681312e2f4e65c4a68c0011da17d36518bbc9fce199d66ef10cf1bd28f6d |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | 3f918777c5b6eef64f7552386ba4532f |
| SHA1 | 0a3e109fb0b0d47ea836a262174bbca0fbaa7e83 |
| SHA256 | c2f3a7a11db26cb68fe2b7546756f89ac3fce4c2e28b376d302d82c1a476c125 |
| SHA512 | 966005350091ae6ee6a159fb313a56c508e3cc29b4d0756c4b777bf48c783381b3da7bc99b551ffb2c554dfe1a7a530643747a6b03f3cca6b1a818d9ddcb4fd3 |
C:\Users\Admin\Downloads\MAILIFY.rar
| MD5 | bf69e7ebf6afa622bec57bd9b60905fb |
| SHA1 | 05987c3cb3d1c9fd00cf766f3a4ecc4d22be4905 |
| SHA256 | 1a0c01dc084d8118b3d1b03dddd508bd121be0835c936a3864de4a81cb97e9e6 |
| SHA512 | 3289f7d3af1dfa890ae488449007665f45045b6325b8605146870a04cd8504aa846b8bcfbd8bedb12add5f609dc16f7ddc327cddc42c5e6b4ad589df764748f0 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\sessionstore.jsonlz4
| MD5 | 9c86b16ae1e1529663bd9668c6ea19bc |
| SHA1 | 094d6407b7fc72bcafc2ef3172f1c7663b596fdd |
| SHA256 | 4599b364b4c0413f06df8b906c966f959ba2ac18f9d408e4cf9f0f93774e15cd |
| SHA512 | 5df7122eb8bf2d3a8f18d880088a49cc3fe6375c35ed0a3dde9b5da0bba556c3b1ca70cc123f89784c1e5efcebee6b35fb505c72ebb059084180b47b4c77da4d |
\Program Files\WinRAR\RarExt.dll
| MD5 | 3068ec5dc5fc098d27e2270366a7c4f6 |
| SHA1 | 2b5a5abc33aaba8b49799e835798f027114e8507 |
| SHA256 | fa913a43d99fd0af75959a176c08a6041004a511329d608510ae6ebd75c7ea8e |
| SHA512 | 46b199885da3e44fe6defb2358ce651bd166f99f42ff6ef09da19630c8380ebf43809fe08502652c70873e84f0f39ce7707028bdea0f750f5ced7893209c244d |
memory/5688-485-0x0000000000DE0000-0x0000000001463000-memory.dmp
memory/5688-486-0x0000000000DE0000-0x0000000001463000-memory.dmp
memory/5688-488-0x0000000000DE0000-0x0000000001463000-memory.dmp
memory/5688-487-0x0000000000DE0000-0x0000000001463000-memory.dmp
memory/5688-489-0x0000000000DE0000-0x0000000001463000-memory.dmp
memory/520-494-0x0000000004390000-0x00000000043C6000-memory.dmp
memory/1576-495-0x0000000007700000-0x0000000007D28000-memory.dmp
memory/1576-497-0x0000000007500000-0x0000000007566000-memory.dmp
memory/1576-498-0x0000000007570000-0x00000000075D6000-memory.dmp
memory/1576-496-0x0000000007360000-0x0000000007382000-memory.dmp
memory/520-499-0x00000000077F0000-0x0000000007B40000-memory.dmp
memory/520-501-0x0000000007EE0000-0x0000000007F2B000-memory.dmp
memory/520-500-0x00000000076D0000-0x00000000076EC000-memory.dmp
memory/520-502-0x0000000007F50000-0x0000000007FC6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_eyecd0bb.hl5.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/1576-537-0x000000006DFF0000-0x000000006E03B000-memory.dmp
memory/520-538-0x0000000008D50000-0x0000000008D6E000-memory.dmp
memory/520-536-0x000000006DFF0000-0x000000006E03B000-memory.dmp
memory/520-535-0x0000000008F90000-0x0000000008FC3000-memory.dmp
memory/520-543-0x00000000090C0000-0x0000000009165000-memory.dmp
memory/520-548-0x0000000009290000-0x0000000009324000-memory.dmp
memory/520-923-0x0000000009230000-0x000000000924A000-memory.dmp
memory/520-942-0x0000000009220000-0x0000000009228000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 1c19c16e21c97ed42d5beabc93391fc5 |
| SHA1 | 8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68 |
| SHA256 | 1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05 |
| SHA512 | 7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c |
memory/5688-981-0x0000000000DE0000-0x0000000001463000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\s4e0.0.bat
| MD5 | 9cb411d859623f1df5ee6ff97923cdec |
| SHA1 | 98b3abea90ffa98e444a54cc3b27b37c1e800420 |
| SHA256 | b26ffab8cad358fa8854f28789ed6a845aaa76cc6afc13f501f5a71bc6e0c67c |
| SHA512 | ecc1130c48913c1783f3c06658e331dcdf9d77aede94ac99ab48df69d2500ab3a808d154fb953c59f9c5a8d18512ebcd66fea0ba8fbc908b98339c806a968f39 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db
| MD5 | f521d799ed460d9807b9310baf4b5b02 |
| SHA1 | 52347c677a6c2e630b9aca89cb760ba87c6c9585 |
| SHA256 | 6140f8183931ea40a70083aec5013ce0fa720115d203308afa92635f15cf2e75 |
| SHA512 | 315c8241730b87bd1ca658c2a2c5472b9baff921ef5559c30df37287f10e1749374f11c70f5cca20cdaa5978fdc171d7bc1d6a8026f60cb178162e5ed426ddea |
memory/1280-992-0x0000000001000000-0x0000000001683000-memory.dmp
memory/1280-993-0x0000000001000000-0x0000000001683000-memory.dmp
memory/1280-994-0x0000000001000000-0x0000000001683000-memory.dmp
memory/1280-996-0x0000000001000000-0x0000000001683000-memory.dmp
memory/1280-995-0x0000000001000000-0x0000000001683000-memory.dmp
memory/5992-1001-0x0000000007AE0000-0x0000000007E30000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | fa0d793b53c99683174ec69ae1083b8a |
| SHA1 | f92719bb9d0e82d4dec23c666db0210b1db1df57 |
| SHA256 | e568a7f4f2c1be55fc6255e498020fd514a86c95be3741282d339a052759da88 |
| SHA512 | d3574412dee8c9927f9c2bf5373d8648c396247a3b2da7871a20727d5a940286a2069e77f74ce3b347e4b44cfd7e49308a7c559bb4e1f6c0e6f545887587b4c9 |
memory/5992-1003-0x00000000085E0000-0x000000000862B000-memory.dmp
memory/5992-1032-0x000000006F6C0000-0x000000006F70B000-memory.dmp
memory/5992-1037-0x0000000009610000-0x00000000096B5000-memory.dmp
memory/5968-1110-0x000000006F6C0000-0x000000006F70B000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 520171f8faac3c1d68599b7a275f6456 |
| SHA1 | b86c433fb85b4a916c50696698cc853d313b3b4d |
| SHA256 | 6d18f10ee72b06e3be9982763f7dcc4e264d60361b2dc0082bcf9f967a581c43 |
| SHA512 | 920ef6e0fa2b8a5dbc513dd1861d8c9235b3ccafc8396770a87e4cacf9e8ea2e4cb84bf8c4a177e9dc09b2e5f80df5599409701134b3c3803f3d30991b900798 |
memory/1280-1469-0x0000000001000000-0x0000000001683000-memory.dmp
memory/2616-1471-0x0000000000DE0000-0x0000000001463000-memory.dmp
memory/2616-1473-0x0000000000DE0000-0x0000000001463000-memory.dmp
memory/2616-1472-0x0000000000DE0000-0x0000000001463000-memory.dmp
memory/2616-1474-0x0000000000DE0000-0x0000000001463000-memory.dmp
memory/4996-1479-0x0000000008230000-0x0000000008580000-memory.dmp
memory/4996-1481-0x00000000087E0000-0x000000000882B000-memory.dmp
memory/4996-1512-0x000000006F110000-0x000000006F15B000-memory.dmp
memory/4996-1517-0x0000000009D50000-0x0000000009DF5000-memory.dmp
memory/5132-1520-0x000000006F110000-0x000000006F15B000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 3d7226d8ddf5711113f2b52bb8dc4c1a |
| SHA1 | 23f4aa712ff5d2a963a4802d23cb14a9333ff3a0 |
| SHA256 | 9ee71c87702cc478fdd55e3fd5a81866c41bcdaa25a04dc85fb0c7021be2b694 |
| SHA512 | bee077ec0b19ef051294882b7a6ff4c6ba4863a2f30b9693af01082c2c848d64183b0fc7feecdf4b10370c384afc8180542dbec10d8acbb1caf053615f229b4b |
memory/2616-1952-0x0000000000DE0000-0x0000000001463000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\s20o.0.bat
| MD5 | fd2395606d9624e4f2ef8da4c30687da |
| SHA1 | cbd278b6da2dc014eee933f6f3ff3e5cfb6461fe |
| SHA256 | 5c33712aefca5242c509d3041966d621c1b01bbe84911d4ad34be6069bce090b |
| SHA512 | 576bbfa94802ef7bc3724eaf11250146acf55b93871b5a4f344325df06976bf717b703712e19d48c32136bd0d707c35826c302a653bbeb41cbf6542d9a3c48f7 |
memory/5068-1958-0x0000000001080000-0x0000000001703000-memory.dmp
memory/5068-1959-0x0000000001080000-0x0000000001703000-memory.dmp
memory/5068-1961-0x0000000001080000-0x0000000001703000-memory.dmp
memory/5068-1960-0x0000000001080000-0x0000000001703000-memory.dmp
memory/5068-1962-0x0000000001080000-0x0000000001703000-memory.dmp
memory/4576-1968-0x0000000007390000-0x00000000076E0000-memory.dmp
memory/4576-1970-0x0000000007920000-0x000000000796B000-memory.dmp
memory/3304-2003-0x000000006FC70000-0x000000006FCBB000-memory.dmp
memory/3304-2008-0x0000000008FE0000-0x0000000009085000-memory.dmp
memory/4576-2009-0x000000006FC70000-0x000000006FCBB000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 3a27eeafd2d76740c1301d9db0b6f64f |
| SHA1 | ce380c919233e74d7b3d12c93f2707a1dc09b78c |
| SHA256 | a5089d28ce7d024e944b1f40c8981f95adc016269aa9e5021249ec05ed89c335 |
| SHA512 | 77eaa5a44fc41d3edf08c1fdf0e67cccf82f769c75e0c7f34fdbee5917c66078be91d6f39b5b393d5b23b6904cdc3b76c613bce30ac5ab4e0f4ded1cf190044c |
memory/5068-2435-0x0000000001080000-0x0000000001703000-memory.dmp
memory/5068-2437-0x0000000001080000-0x0000000001703000-memory.dmp
memory/304-2441-0x0000000001080000-0x0000000001703000-memory.dmp
memory/304-2442-0x0000000001080000-0x0000000001703000-memory.dmp
memory/304-2443-0x0000000001080000-0x0000000001703000-memory.dmp
memory/304-2445-0x0000000001080000-0x0000000001703000-memory.dmp
memory/304-2444-0x0000000001080000-0x0000000001703000-memory.dmp
memory/304-2446-0x0000000001080000-0x0000000001703000-memory.dmp
memory/2384-2451-0x0000000007E80000-0x00000000081D0000-memory.dmp
memory/2384-2453-0x0000000008540000-0x000000000858B000-memory.dmp
memory/2384-2470-0x0000000072FD0000-0x000000007301B000-memory.dmp
memory/2384-2475-0x0000000009A50000-0x0000000009AF5000-memory.dmp
memory/1444-2703-0x0000000072FD0000-0x000000007301B000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | fde280ae2852991ddc11abfd75bb9b39 |
| SHA1 | a89b79a7d53f0f3a8940f61da92f46c1563af867 |
| SHA256 | c4dcf9c327d710aae89ce5f5a5899ff38d4e5c39fe9ff91484a50aa37fc63720 |
| SHA512 | 9e8e10c2e0335b7d32f342f7896050be9b5a65f8e10b7bb8b73cd494b8207826136a5c713ec0efac71da795ffcd64f746108c8a8bf0915e197411e350ea90940 |
memory/2248-2926-0x0000000001080000-0x0000000001703000-memory.dmp
memory/2248-2927-0x0000000001080000-0x0000000001703000-memory.dmp
memory/2248-2928-0x0000000001080000-0x0000000001703000-memory.dmp
memory/2248-2929-0x0000000001080000-0x0000000001703000-memory.dmp
memory/2248-2930-0x0000000001080000-0x0000000001703000-memory.dmp
memory/3320-2935-0x0000000007C60000-0x0000000007FB0000-memory.dmp
memory/3320-2937-0x0000000008970000-0x00000000089BB000-memory.dmp
memory/3320-2967-0x000000006F810000-0x000000006F85B000-memory.dmp
memory/3320-2972-0x0000000009980000-0x0000000009A25000-memory.dmp
memory/2772-3045-0x000000006F810000-0x000000006F85B000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 67c2d5f4bda4790cd8f07361dc961671 |
| SHA1 | 5c4a845573b6960ef79910b04357a306d64b1ec0 |
| SHA256 | dc036332ff3bd82ce11fa304bbc7d559349e4723d5db3dcd187f584f803d9f31 |
| SHA512 | f0b73f2124d4032c6041d409caef66ca1f7ee7222930d5b28da029c5277c4a88082c8a19fc426f7e60b5ad55b5aa37f61dec618a8ce3796d0d60d6f292d720fd |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\prefs.js
| MD5 | 610091b0f1f571a1d44e29d825c7db9a |
| SHA1 | 54d2f18a34ad61808ffb72570194289ab6d55f0c |
| SHA256 | 272102c9b8cf7051f7d19e1420447dc82ed4d850070e6893001ede9b5ef5bda8 |
| SHA512 | 94a452a3d60f7a5db42941ea2d39f0ef0bf77279c11588c2310f32045e6a30567989587fdb595b2abfef037a3b768272a46c4ffa6de824c318b86ce6c91ff8e5 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\startupCache\urlCache.bin
| MD5 | 3cff745a70af34c72ccc81db724f8526 |
| SHA1 | a9845706cc4a741b80c602a8454eab6d61f5ff6d |
| SHA256 | 05f399eee3a2a145c89a3733536bc16c51ebffe188ea92295a469bdb9c361e1d |
| SHA512 | 50afda9b504619ea9cf13719f73fdcc7bdeb34e45678d07122b045a55bea5655601d2292d3edf4f8af9bfe65263a50c6422da4f4621d60ad61aff835a7a9a3aa |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\startupCache\scriptCache.bin
| MD5 | 2709907455346af4191ee9e7644b68ae |
| SHA1 | ee05391bccadd1c9262be1bcf3f0f811e499d7c1 |
| SHA256 | 22b14a41d70837dc087792dd0b56b4641152f4a0c5f253ca791ce74f1cb2a183 |
| SHA512 | 29287fba0367f4efff517239d4edd85bda924c84fc7c14ad5c98a0cbbc1cb0b3165e16990d940bd3067b4cd5298bb5a546cba5cff85a0bc7bbfa84463beb58b2 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\xulstore.json
| MD5 | 6e70ecfa995973b27a83d95836fb0d04 |
| SHA1 | 9a0158fe1ecd31c19ae6c2f4386dc6353cb18f6e |
| SHA256 | ad16aa39c215cd131acd85ec770c5630d72c7d5bc31cfaa907f15c8f6476e599 |
| SHA512 | 5efd3be4a9ccefc84cf39839b6c06ddc8d7b2e1ca412b974dc362b78ba0d616a41288e95eff53170629a74d6d5e845cfc6f5ce06dd066963bf582c5de026459e |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\permissions.sqlite
| MD5 | 4c62fb572514b833cbac879d5bfc3198 |
| SHA1 | 84390b88661586d2c6068333a3b742d7f128d8fb |
| SHA256 | 80d26e2f0c5412d295b35ab406fb90264b721187c72029f44bf9283f22745beb |
| SHA512 | cf3029a0c6971d0dac7fc5cf49a4767e4519a217c572c9171a61ad9a9afc9873bd071942b629bb7a8a08f5cae48595b6945023d4a51594056571ff2766c2f741 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\sessionCheckpoints.json.tmp
| MD5 | ea8b62857dfdbd3d0be7d7e4a954ec9a |
| SHA1 | b43bc4b3ea206a02ef8f63d5bfad0c96bf2a3b2a |
| SHA256 | 792955295ae9c382986222c6731c5870bd0e921e7f7e34cc4615f5cd67f225da |
| SHA512 | 076ee83534f42563046d25086166f82e1a3ec61840c113aec67abe2d8195daa247d827d0c54e7e8f8a1bbf2d082a3763577587e84342ec160ff97905243e6d19 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\sessionCheckpoints.json.tmp
| MD5 | c4ab2ee59ca41b6d6a6ea911f35bdc00 |
| SHA1 | 5942cd6505fc8a9daba403b082067e1cdefdfbc4 |
| SHA256 | 00ad9799527c3fd21f3a85012565eae817490f3e0d417413bf9567bb5909f6a2 |
| SHA512 | 71ea16900479e6af161e0aad08c8d1e9ded5868a8d848e7647272f3002e2f2013e16382b677abe3c6f17792a26293b9e27ec78e16f00bd24ba3d21072bd1cae2 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\datareporting\glean\pending_pings\bb036b2f-62dc-4df1-872b-911b4c4197e4
| MD5 | 47e9addb31d4dec9e422bdc5344236dd |
| SHA1 | 99ebe957aa87475eef11472b942c16928e16eaf9 |
| SHA256 | 5efdf0634cff5e2d784f718e0ff3c9e53e75d563afe8bbc5ace6cf830fc5edac |
| SHA512 | b3ecd2f8e8a82ff27f066faf41399c3b1a546b2c08e35f7ae3ac20989d95785325e07d03a00daed7aed07f0c4a5164afc0702cee8427e4847cadaacd7056f74d |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\datareporting\glean\pending_pings\9fbef9ce-ff83-4c5d-bb2e-965ceb6e1e43
| MD5 | 5f09b0b375b3de0ca603546e613dd8ff |
| SHA1 | 189597db2744d8528fb29b7282af40dfb92ebbc2 |
| SHA256 | fc4b94afd6e1a8b38713b60366f37f5d05455c5515baae016b5c01ea4a1ca571 |
| SHA512 | d59a43de4420359f263bd2ea2d066deb558d5433b2edff065424ac16835bb695ec8a3b94753c9f88b195a1cd2cf8bba5e2f0ad6a35fd90f01ecefab8fec71c0b |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\datareporting\glean\db\data.safe.bin
| MD5 | a18b4b0ec313b61bbc8f854015f978cc |
| SHA1 | 6412d0ec23c5390a81a1dcaf300ab018f52ef6e0 |
| SHA256 | 756ba12901bd2d9e4a4d72e127d65a7a988edbc4ba73519878f44496c9f1e665 |
| SHA512 | 6fba1ff2d70c4f9438087c58c0f9cc7c2b6d1a1023e8f324a7f1a3217c8196f381140fc322adc9cc08074520d4e9d19c4a97df7a1c495e81f0ba5e8fcd92f9c7 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | d220c7ae18259f1301f3ad5328c84b97 |
| SHA1 | b4638d1c0d920418fb2d76f86ea68a2ba034ea9b |
| SHA256 | 906b060a273e2abf593f6f42996f1a4d960d09dcee95d974e802fb7291647714 |
| SHA512 | 23bdb9230036f89f1ad07434dc894de78167514265978a07e5e1d0e577b474f6733b47d6952f85630d6345eda0245c1cad19afa54b957099ee2353e53bb263f0 |
C:\Users\Admin\Downloads\processhacker-2.-2oy9E-o.39-setup.exe.part
| MD5 | e6e09ca0677b25f54bca1094a9258f0d |
| SHA1 | 150a176b632c55213796fcb6d322f0478f0e1e36 |
| SHA256 | f95086e28f361df22a7b8702bbfd4aaa61bdd688a132ec5d6943dc008b03f54a |
| SHA512 | 0ba91b14e860c402215d3b7ad0d8e16694ee25993b2117b3f01f6b78a68004071bfc366d562b61cc9d14aaa48bc39be23ac9aa53481c85118bb32ebc8bd58412 |
memory/2420-3539-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Program Files\Process Hacker 2\ProcessHacker.exe
| MD5 | b365af317ae730a67c936f21432b9c71 |
| SHA1 | a0bdfac3ce1880b32ff9b696458327ce352e3b1d |
| SHA256 | bd2c2cf0631d881ed382817afcce2b093f4e412ffb170a719e2762f250abfea4 |
| SHA512 | cc3359e16c6fe905a9e176a87acf4c4ed5e22c29bfca11949799caf8442e00ec0d1679b3d8754dbc3e313528d3e8e82c0ec1941e2c3530b48229c1cb337f6b8b |
memory/5836-3614-0x0000000000400000-0x00000000004D4000-memory.dmp
memory/2420-3615-0x0000000000400000-0x000000000042B000-memory.dmp
memory/5552-3616-0x0000000001080000-0x0000000001703000-memory.dmp
memory/5552-3617-0x0000000001080000-0x0000000001703000-memory.dmp
memory/5552-3618-0x0000000001080000-0x0000000001703000-memory.dmp
memory/5552-3619-0x0000000001080000-0x0000000001703000-memory.dmp
memory/5552-3620-0x0000000001080000-0x0000000001703000-memory.dmp
memory/5552-3621-0x0000000001080000-0x0000000001703000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | ce61154cbfdc163d3c82a014889dc86e |
| SHA1 | 882c811c2988529528e820c0dea7250d3c85b46c |
| SHA256 | 625a784bd885ea72725b6bc16bfb4c769e973668421d47cdecc75dc657402fae |
| SHA512 | 4fb6dbe24a2780941d3f0936cfbcf2814c30e3b33e36b6617621030dd07fba3d462361f68d7c2c158a4b2830e8f2921f1e0b7e53647b2cf89b48a4b79aa0b4b9 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\prefs.js
| MD5 | a10b2d97ad33bfd0339691b903d2c9bb |
| SHA1 | 0ff0ba411b2c5f23cf8b335f9f362836f0e926d5 |
| SHA256 | 24316a7ca80e0e5354f490363f47d29112043eb3403a6bf487ff8842fd173e1d |
| SHA512 | a6e756d6d0593b55655e82b2295eeb0c9f68bd3539c1a3a775891daf918416c3612a023774b67423e7795b8508ebffda0df5f01b67e5573af63b2f08f7777f36 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\prefs-1.js
| MD5 | 6a3dd05ed729a6f5efc123e831262232 |
| SHA1 | 50657ce663581494647debc1e9071b8e8d5281d0 |
| SHA256 | ea92dee964dc4d11d6d49ec7f3020103ef95e8c4c85263b46a5e671ec6fafa8c |
| SHA512 | 8e4d04745a441bc3be10e274a7d065db36e38cf0b828514985a8601476ad040515eaec98547f52d509a7d6176061a30b85babb3af01f6f289565360de9a16fbb |
memory/3608-3672-0x0000000072FD0000-0x000000007301B000-memory.dmp
memory/1020-3749-0x0000000072FD0000-0x000000007301B000-memory.dmp
memory/5068-4107-0x0000000001080000-0x0000000001703000-memory.dmp
memory/208-4116-0x0000000001080000-0x0000000001703000-memory.dmp
memory/208-4117-0x0000000001080000-0x0000000001703000-memory.dmp
memory/208-4118-0x0000000001080000-0x0000000001703000-memory.dmp
memory/208-4119-0x0000000001080000-0x0000000001703000-memory.dmp
memory/208-4120-0x0000000001080000-0x0000000001703000-memory.dmp
memory/196-4125-0x00000000075C0000-0x0000000007910000-memory.dmp
memory/196-4126-0x0000000007BA0000-0x0000000007BEB000-memory.dmp
memory/196-4155-0x000000006F100000-0x000000006F14B000-memory.dmp
memory/4220-4232-0x000000006F100000-0x000000006F14B000-memory.dmp
memory/208-4590-0x0000000001080000-0x0000000001703000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\sessionCheckpoints.json.tmp
| MD5 | 99601438ae1349b653fcd00278943f90 |
| SHA1 | 8958d05e9362f6f0f3b616f7bfd0aeb5d37967c9 |
| SHA256 | 72d74b596f7fc079d15431b51ce565a6465a40f5897682a94a3f1dd19b07959a |
| SHA512 | ffa863d5d6af4a48aadc5c92df4781d3aacbf5d91b43b5e68569952ffec513ff95655b3e54c2161fe27d2274dd4778bad517c7a3972f206381ef292808628c55 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\sessionCheckpoints.json.tmp
| MD5 | 700fe59d2eb10b8cd28525fcc46bc0cc |
| SHA1 | 339badf0e1eba5332bff317d7cf8a41d5860390d |
| SHA256 | 4f5d849bdf4a5eeeb5da8836589e064e31c8e94129d4e55b1c69a6f98fb9f9ea |
| SHA512 | 3fa1b3fd4277d5900140e013b1035cb4c72065afcc6b6a8595b43101cfe7d09e75554a877e4a01bb80b0d7a58cdcfe553c4a9ef308c5695c5e77cb0ea99bada4 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\sessionstore.jsonlz4
| MD5 | 3c35889d32c3c1cd5c6774f7fcbaf705 |
| SHA1 | b26618d9dbed6778b96ef489916ebe438d53de09 |
| SHA256 | e49f4940b5dbd9aae9e533fdf795736c5d5c7dff87d9b2901463f51cc7439470 |
| SHA512 | 159023dc81a8d62a39b2098125f195f9c660ef6da0d2ed6d401db63e6ed4bd688f34f62912c77591203f5b9101d4c1225de479ea0eb81dc1492f4cde2a385185 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\places.sqlite
| MD5 | 40241eae0211a081391349c45baa59ed |
| SHA1 | 52702f11e41188ff4f18d15f37eb8331cee83935 |
| SHA256 | 0313a86fa548b317426526f4109888cdce9eee16e325c6be09a6003f151a3d1d |
| SHA512 | 56732dc1e04463858118f9ba227760b494b5e9e97ed6e2adffa1f387a83150f994fe868f9300ea84ed2def183f18cfd06c74fd4d18d0f9c103dda3bff3b878f8 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-10 06:57
Reported
2024-05-10 07:07
Platform
win10v2004-20240508-en
Max time kernel
541s
Max time network
540s
Command Line
Signatures
PrivateLoader
Grants admin privileges
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Downloads\AnyDesk.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\AnyDesk.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\AnyDesk.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\AnyDesk.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\AnyDesk\AnyDesk.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\AnyDesk\AnyDesk.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\AnyDesk\AnyDesk.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\AnyDesk\AnyDesk.exe | N/A |
Checks installed software on the system
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_exif.db | C:\Program Files (x86)\AnyDesk\AnyDesk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide_alternate.db | C:\Program Files (x86)\AnyDesk\AnyDesk.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{c111c233-281a-654d-b751-977656ad1d8a}\SET80BA.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{c111c233-281a-654d-b751-977656ad1d8a}\AnyDeskPrintDriver.gpd | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_2560.db | C:\Program Files (x86)\AnyDesk\AnyDesk.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{c111c233-281a-654d-b751-977656ad1d8a}\AnyDeskPrintDriver.cat | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_96.db | C:\Program Files (x86)\AnyDesk\AnyDesk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_1920.db | C:\Program Files (x86)\AnyDesk\AnyDesk.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{c111c233-281a-654d-b751-977656ad1d8a}\AnyDeskPrintDriverRenderFilter-PipelineConfig.xml | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\System32\DriverStore\Temp\{c111c233-281a-654d-b751-977656ad1d8a}\SET80BA.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide.db | C:\Program Files (x86)\AnyDesk\AnyDesk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_custom_stream.db | C:\Program Files (x86)\AnyDesk\AnyDesk.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{c111c233-281a-654d-b751-977656ad1d8a}\SET80BB.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_256.db | C:\Program Files (x86)\AnyDesk\AnyDesk.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{c111c233-281a-654d-b751-977656ad1d8a}\AnyDeskPrintDriver-manifest.ini | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{c111c233-281a-654d-b751-977656ad1d8a}\anydeskprintdriver.inf | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_16.db | C:\Program Files (x86)\AnyDesk\AnyDesk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db | C:\Program Files (x86)\AnyDesk\AnyDesk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db | C:\Program Files (x86)\AnyDesk\AnyDesk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_1280.db | C:\Program Files (x86)\AnyDesk\AnyDesk.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{c111c233-281a-654d-b751-977656ad1d8a}\AnyDeskPrintDriverRenderFilter.dll | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{c111c233-281a-654d-b751-977656ad1d8a}\SET8099.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_sr.db | C:\Program Files (x86)\AnyDesk\AnyDesk.exe | N/A |
| File created | C:\Windows\System32\DriverStore\Temp\{c111c233-281a-654d-b751-977656ad1d8a}\SET80BB.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db | C:\Program Files (x86)\AnyDesk\AnyDesk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_768.db | C:\Program Files (x86)\AnyDesk\AnyDesk.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{c111c233-281a-654d-b751-977656ad1d8a}\SET8088.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{c111c233-281a-654d-b751-977656ad1d8a}\SET80BC.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{c111c233-281a-654d-b751-977656ad1d8a}\SET80A9.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\System32\DriverStore\Temp\{c111c233-281a-654d-b751-977656ad1d8a}\SET80A9.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\System32\DriverStore\Temp\{c111c233-281a-654d-b751-977656ad1d8a}\SET80BC.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{c111c233-281a-654d-b751-977656ad1d8a} | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\System32\DriverStore\Temp\{c111c233-281a-654d-b751-977656ad1d8a}\SET8088.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\System32\DriverStore\Temp\{c111c233-281a-654d-b751-977656ad1d8a}\SET8099.tmp | C:\Windows\system32\DrvInst.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\AnyDesk\AnyDesk.exe | C:\Users\Admin\Downloads\AnyDesk.exe | N/A |
| File created | C:\Program Files (x86)\AnyDesk\AnyDesk.exe | C:\Users\Admin\Downloads\AnyDesk.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\INF\setupapi.dev.log | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.dev.log | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.dev.log | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\LOGS\DPX\setupact.log | C:\Windows\SysWOW64\expand.exe | N/A |
| File opened for modification | C:\Windows\LOGS\DPX\setuperr.log | C:\Windows\SysWOW64\expand.exe | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 | C:\Windows\system32\svchost.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\Downloads\AnyDesk.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files (x86)\AnyDesk\AnyDesk.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files (x86)\AnyDesk\AnyDesk.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\Downloads\AnyDesk.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "217" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133597983279602764" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\DrvInst.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections | C:\Program Files (x86)\AnyDesk\AnyDesk.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\system32\DrvInst.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" | C:\Windows\system32\LogonUI.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\URL Protocol | C:\Users\Admin\Downloads\AnyDesk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\DefaultIcon\ = "AnyDesk.exe,0" | C:\Users\Admin\Downloads\AnyDesk.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\shell | C:\Users\Admin\Downloads\AnyDesk.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\shell\open\command | C:\Users\Admin\Downloads\AnyDesk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\shell\open\command\ = "\"C:\\Program Files (x86)\\AnyDesk\\AnyDesk.exe\" \"%1\"" | C:\Users\Admin\Downloads\AnyDesk.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\shell\open\command | C:\Users\Admin\Downloads\AnyDesk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\shell\open\command\ = "\"C:\\Program Files (x86)\\AnyDesk\\AnyDesk.exe\" --play \"%1\"" | C:\Users\Admin\Downloads\AnyDesk.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\DefaultIcon | C:\Users\Admin\Downloads\AnyDesk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\DefaultIcon\ = "\"C:\\Program Files (x86)\\AnyDesk\\AnyDesk.exe\",0" | C:\Users\Admin\Downloads\AnyDesk.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\shell | C:\Users\Admin\Downloads\AnyDesk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\ = "URL:AnyDesk Protocol" | C:\Users\Admin\Downloads\AnyDesk.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk | C:\Users\Admin\Downloads\AnyDesk.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\shell\open | C:\Users\Admin\Downloads\AnyDesk.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk | C:\Users\Admin\Downloads\AnyDesk.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\DefaultIcon | C:\Users\Admin\Downloads\AnyDesk.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\shell\open | C:\Users\Admin\Downloads\AnyDesk.exe | N/A |
Runs net.exe
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\AnyDesk\AnyDesk.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\AnyDesk\AnyDesk.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\AnyDesk\AnyDesk.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\AnyDesk\AnyDesk.exe | N/A |
| N/A | N/A | C:\Windows\system32\LogonUI.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Scoala-Nr-2.jpg
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffea6aaab58,0x7ffea6aaab68,0x7ffea6aaab78
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1712 --field-trial-handle=2120,i,8855193329529538256,2189008798523858408,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1776 --field-trial-handle=2120,i,8855193329529538256,2189008798523858408,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2276 --field-trial-handle=2120,i,8855193329529538256,2189008798523858408,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2848 --field-trial-handle=2120,i,8855193329529538256,2189008798523858408,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2864 --field-trial-handle=2120,i,8855193329529538256,2189008798523858408,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3868 --field-trial-handle=2120,i,8855193329529538256,2189008798523858408,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4460 --field-trial-handle=2120,i,8855193329529538256,2189008798523858408,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4604 --field-trial-handle=2120,i,8855193329529538256,2189008798523858408,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4648 --field-trial-handle=2120,i,8855193329529538256,2189008798523858408,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4768 --field-trial-handle=2120,i,8855193329529538256,2189008798523858408,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4780 --field-trial-handle=2120,i,8855193329529538256,2189008798523858408,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4860 --field-trial-handle=2120,i,8855193329529538256,2189008798523858408,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5112 --field-trial-handle=2120,i,8855193329529538256,2189008798523858408,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5088 --field-trial-handle=2120,i,8855193329529538256,2189008798523858408,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5320 --field-trial-handle=2120,i,8855193329529538256,2189008798523858408,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5368 --field-trial-handle=2120,i,8855193329529538256,2189008798523858408,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5408 --field-trial-handle=2120,i,8855193329529538256,2189008798523858408,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=5436 --field-trial-handle=2120,i,8855193329529538256,2189008798523858408,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4948 --field-trial-handle=2120,i,8855193329529538256,2189008798523858408,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4772 --field-trial-handle=2120,i,8855193329529538256,2189008798523858408,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4792 --field-trial-handle=2120,i,8855193329529538256,2189008798523858408,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5652 --field-trial-handle=2120,i,8855193329529538256,2189008798523858408,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4552 --field-trial-handle=2120,i,8855193329529538256,2189008798523858408,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5900 --field-trial-handle=2120,i,8855193329529538256,2189008798523858408,131072 /prefetch:8
C:\Users\Admin\Downloads\AnyDesk.exe
"C:\Users\Admin\Downloads\AnyDesk.exe"
C:\Users\Admin\Downloads\AnyDesk.exe
"C:\Users\Admin\Downloads\AnyDesk.exe" --local-service
C:\Users\Admin\Downloads\AnyDesk.exe
"C:\Users\Admin\Downloads\AnyDesk.exe" --local-control
C:\Users\Admin\Downloads\AnyDesk.exe
"C:\Users\Admin\Downloads\AnyDesk.exe" --install "C:\Program Files (x86)\AnyDesk" --start-with-win --create-shortcuts --create-taskbar-icon --create-desktop-icon --install-drv --update-auto --svc-conf "C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf"
C:\Program Files (x86)\AnyDesk\AnyDesk.exe
"C:\Program Files (x86)\AnyDesk\AnyDesk.exe" --service
C:\Program Files (x86)\AnyDesk\AnyDesk.exe
"C:\Program Files (x86)\AnyDesk\AnyDesk.exe" --control
C:\Program Files (x86)\AnyDesk\AnyDesk.exe
"C:\Program Files (x86)\AnyDesk\AnyDesk.exe" --new-install
C:\Windows\SysWOW64\expand.exe
expand -F:* "C:\Users\Admin\AppData\Roaming\AnyDesk\printer_driver\v4.cab" "C:\Users\Admin\AppData\Roaming\AnyDesk\printer_driver"
C:\Windows\SysWOW64\rundll32.exe
"rundll32" printui.dll, PrintUIEntry /if /b "AnyDesk Printer" /f "C:\Users\Admin\AppData\Roaming\AnyDesk\printer_driver\AnyDeskPrintDriver.inf" /r "AD_Port" /m "AnyDesk v4 Printer Driver"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{d5f9fbd0-1fae-624a-9f70-795c021e4eb3}\anydeskprintdriver.inf" "9" "49a18f3d7" "000000000000013C" "WinSta0\Default" "0000000000000144" "208" "c:\users\admin\appdata\roaming\anydesk\printer_driver"
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{ca6d8a6d-665c-a54c-a1c7-0bd9f26a744e} Global\{dbe83c07-558d-0a44-b38e-daea738cad2b} C:\Windows\System32\DriverStore\Temp\{c111c233-281a-654d-b751-977656ad1d8a}\anydeskprintdriver.inf C:\Windows\System32\DriverStore\Temp\{c111c233-281a-654d-b751-977656ad1d8a}\AnyDeskPrintDriver.cat
C:\Program Files (x86)\AnyDesk\AnyDesk.exe
"C:\Program Files (x86)\AnyDesk\AnyDesk.exe" --backend
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x320 0x3fc
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
C:\Windows\system32\net.exe
net user bar /add
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user bar /add
C:\Windows\system32\net.exe
net localgroup administrators bar /add
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup administrators bar /add
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3973055 /state1:0x41c64e6d
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| NL | 23.62.61.106:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 106.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 32.251.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 142.250.178.4:443 | www.google.com | udp |
| GB | 142.250.178.4:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | 195.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.180.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.178.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | play.google.com | udp |
| GB | 142.250.187.206:443 | play.google.com | udp |
| GB | 142.250.187.206:443 | play.google.com | tcp |
| US | 8.8.8.8:53 | 206.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | clients2.google.com | udp |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 172.217.16.238:443 | clients2.google.com | udp |
| GB | 172.217.16.238:443 | clients2.google.com | tcp |
| US | 8.8.8.8:53 | 238.16.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | picteon.dev | udp |
| US | 172.67.181.154:443 | picteon.dev | tcp |
| US | 172.67.181.154:443 | picteon.dev | tcp |
| US | 8.8.8.8:53 | 154.181.67.172.in-addr.arpa | udp |
| US | 172.67.181.154:443 | picteon.dev | udp |
| US | 8.8.8.8:53 | boot-01.net.anydesk.com | udp |
| FR | 141.95.145.210:443 | boot-01.net.anydesk.com | tcp |
| FR | 141.95.145.210:80 | boot-01.net.anydesk.com | tcp |
| FR | 141.95.145.210:6568 | boot-01.net.anydesk.com | tcp |
| US | 8.8.8.8:53 | relay-d4aa0625.net.anydesk.com | udp |
| GB | 57.128.141.164:80 | relay-d4aa0625.net.anydesk.com | tcp |
| US | 8.8.8.8:53 | 164.141.128.57.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.145.95.141.in-addr.arpa | udp |
| FR | 141.95.145.210:443 | boot-01.net.anydesk.com | tcp |
| US | 8.8.8.8:53 | relay-0135ac48.net.anydesk.com | udp |
| GB | 57.128.141.165:80 | relay-0135ac48.net.anydesk.com | tcp |
| N/A | 239.255.102.18:50001 | udp | |
| N/A | 239.255.102.18:50002 | udp | |
| N/A | 239.255.102.18:50003 | udp | |
| US | 8.8.8.8:53 | 165.141.128.57.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.102.255.239.in-addr.arpa | udp |
| N/A | 239.255.102.18:50001 | udp | |
| N/A | 239.255.102.18:50002 | udp | |
| N/A | 239.255.102.18:50003 | udp | |
| N/A | 239.255.102.18:50001 | udp | |
| N/A | 239.255.102.18:50002 | udp | |
| N/A | 239.255.102.18:50003 | udp | |
| N/A | 239.255.102.18:50001 | udp | |
| N/A | 239.255.102.18:7115 | udp | |
| N/A | 239.255.102.18:20554 | udp | |
| N/A | 239.255.102.18:50001 | udp | |
| N/A | 239.255.102.18:50002 | udp | |
| N/A | 239.255.102.18:50003 | udp | |
| N/A | 239.255.102.18:50001 | udp | |
| N/A | 239.255.102.18:50002 | udp | |
| N/A | 239.255.102.18:50003 | udp | |
| N/A | 239.255.102.18:50001 | udp | |
| N/A | 239.255.102.18:50002 | udp | |
| N/A | 239.255.102.18:50003 | udp | |
| N/A | 239.255.102.18:50001 | udp | |
| N/A | 239.255.102.18:50002 | udp | |
| N/A | 239.255.102.18:50003 | udp | |
| N/A | 239.255.102.18:50001 | udp | |
| N/A | 239.255.102.18:50002 | udp | |
| N/A | 239.255.102.18:50003 | udp | |
| N/A | 239.255.102.18:50001 | udp | |
| N/A | 239.255.102.18:50002 | udp | |
| N/A | 239.255.102.18:50003 | udp | |
| N/A | 239.255.102.18:50001 | udp | |
| N/A | 239.255.102.18:50002 | udp | |
| N/A | 239.255.102.18:50003 | udp | |
| N/A | 192.168.100.32:7070 | tcp | |
| RO | 86.127.88.1:7070 | tcp | |
| RO | 86.127.88.1:49921 | tcp | |
| US | 8.8.8.8:53 | 1.88.127.86.in-addr.arpa | udp |
Files
\??\pipe\crashpad_4992_EKARDLPSZDRKAXZH
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
| MD5 | d751713988987e9331980363e24189ce |
| SHA1 | 97d170e1550eee4afc0af065b78cda302a97674c |
| SHA256 | 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945 |
| SHA512 | b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 97644c18809adb44ae477e007742c65f |
| SHA1 | 884225cc57ace4951abd407cb4d4de59ebca225d |
| SHA256 | e7e531173a2c6303fc9af57ba1494c97b3a05a30c8295f7c487c8ab3d2429b49 |
| SHA512 | 7d3da8d28280be52570e6399c6c1f1dcbbe6cad76174f206e3331b4fdd8f1c5fff3830626f6330e4d964b2c8b15a6f6aa55913f5406970c6b43ce173471aa7c0 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 582d5d6454757fc31a1438e4c27dfb17 |
| SHA1 | c170accc8643169fbf0531bf8343f86d33e97e4b |
| SHA256 | 235b4b6c13662d480457a19aa6a85db22c2bddd803d42aa010729cfe129aa0e6 |
| SHA512 | 277890e81388a5d415289ccf3335cd52b25771def4dd8e1b7aeab99c617b0d4d722ef2eef591d2bfa7fa89028689ac117dfc798c7794f2676de2a0d562b7635c |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | ddd8c5b21835711de2babc794758b1b3 |
| SHA1 | 7d99a9f662518628c06be30de12317f8a9709c69 |
| SHA256 | 3d91f80ad47a82c2f1f04d4daf6beb53581a184806b44cb70deb637d6d98f222 |
| SHA512 | d04701dec6a002dd0ebc12834a76844391ad9a08397c1513c6721fcb2bd9e871fc11b6f4d44f4dc276e16af29d2479f782190be65b2ba86aa92f474bc30d238d |
C:\Users\Admin\Downloads\AnyDesk.exe.crdownload
| MD5 | eb80f7bddb699784baa9fbf2941eaf4a |
| SHA1 | df6abbfd20e731689f3c7d2a55f45ac83fbbc40b |
| SHA256 | b9ad79eaf7a4133f95f24c3b9d976c72f34264dc5c99030f0e57992cb5621f78 |
| SHA512 | 3a1162e9fef849cb7143dc1898d4cfcfd87eb80ced0edb321dfa096686b25ae8a9a7f3ae8f37a09724d94f96d64e08940fc23c0b931ddd8a1e70e2792cb3fe47 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
| MD5 | fbf9645d98764e56c8d02a496f5f3c09 |
| SHA1 | 68862c949505c887385f323b85cc2ae97c55361d |
| SHA256 | f9ca014a1b1cd335a664fa724f4a6a7531236550a323cbf3f8e24e1534d06870 |
| SHA512 | b75f5ab01532547aac12f412761d413c229c489829be4ad83d5716a57497ef7982d2af8c1c869d9c93c83a71edffff51dc4e640060191e25950cbbb27b18c274 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | e2c61f35f771cef6e98fb92e72f36323 |
| SHA1 | d07c76c33347aac5ae3d702a449df4f300fe5359 |
| SHA256 | ec34149195c2a6e987cc7bac95d92c38a6e29f452fa01dabe612d27a85a538bd |
| SHA512 | a35ec19e2cd050ac4b0fa6afa4d58f7fcb87bd9b3b39660b075f7afe84536eca9cdc605174798d03948225fb36b9122d7680908312c8122859edc19f0d696196 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | f2d6b45f75d646ab234d8eb4a5553100 |
| SHA1 | 9bf902824493bba4962a63471786f7cca1cf8b34 |
| SHA256 | 444823bb3c8e9c1bf7c99899437f3efd0c9962b85843801c4a07486254c1bb97 |
| SHA512 | 2a0773ed8e41e2e87cc45aaa12dbf22c878de2608336a8af64ed4235b6b01e3181d4faf69bebd7fa4f5e9af4543b137af37b8d68b7f53a9725e6e86997c9c004 |
memory/2860-130-0x00000000004B4000-0x0000000000DC3000-memory.dmp
memory/2860-131-0x00000000004B0000-0x00000000010C2000-memory.dmp
memory/2860-133-0x00000000004B0000-0x00000000010C2000-memory.dmp
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
| MD5 | f25e48e1d9e1e1398bc5fbc6885570b8 |
| SHA1 | 46557c8ebb9236af6c28c9bdd317d1d25749e710 |
| SHA256 | 0379e6a5dff30a991e0acdb9932cac828eb3e30ca8cc23447a2bc73ae78181db |
| SHA512 | 41e61480f5141b6950d7b96f3e4dfcca19bc480e0b11eeebdedaeb266c6e525f41f3d29a3c1c0bf8f17a3c30111d8fba7e269d5fcf84b336bee916e21881acb7 |
memory/3184-149-0x00000000004B0000-0x00000000010C2000-memory.dmp
memory/404-148-0x00000000004B0000-0x00000000010C2000-memory.dmp
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace
| MD5 | a65a1bc55c319665e494bdd1c012713c |
| SHA1 | 44a342a46e93e5b0b585f698db2786c95b08151d |
| SHA256 | 51357b3adbdc65dbaf2ec0b62428b53bf6b498cf57908142410745d0d40fdd0b |
| SHA512 | e32b981749e172fd176fdd046c68a4233e05cff5e959989d0c8e70fe7cc5f9bfae4e89f9710a2019d6fbbbc4a9309c0798a5eb4ef11fcc8a94a7c9ff311aa027 |
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
| MD5 | 59352c2b0c590c5fd96365d3168d723b |
| SHA1 | 53ab571639cc3e3a38032c1095985f7f4278d8fc |
| SHA256 | 079db0d18cb8ca55e8653f3d67608c5e445d32e368feb874ed3fa1d797c7c286 |
| SHA512 | 2d21bcd26ef934095ca5b37aa1e66091547870f5e09c2d203dfd75923d2575f93f1a42f31e4fb7b2423b766984464ed65b048f49519837918de246a892c82828 |
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf
| MD5 | 397c4783287a036cdd8a72166ebd2039 |
| SHA1 | 5224cfcc25b8d8a957dc9a7b0ea15a7d7dd88ba3 |
| SHA256 | 0073fe5f03415bc2ab38b3f877d511ac73457054a87584dae941dae9ab4d5e24 |
| SHA512 | 634482f51b602fb642f6f5d8d63a515659eab35c5b8b54a0d61e0d1a31a84222f8dcd763547fcfd3d349d9059dc26d4905399d369dcb505a25d10163d36c8c6c |
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf
| MD5 | 9a70926c256e7b608961b634a27c36fb |
| SHA1 | 56157d53a77c0421d9ec4ead26688b7ce5961a6e |
| SHA256 | c967f8320e44ed737bd54794303a50910d3de0dce3231d265bb8070780b38331 |
| SHA512 | 2aa49abc79bc1d2eec45b0d7900b2adc071cd28b4e58ce5109bb0b136c263149826207d910fb072f448642ee28e020c90a2558701d679459012d7ed6d34e7852 |
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf
| MD5 | 92905e1fa7af21b3bd0fd3d62e0859fb |
| SHA1 | 53563b73c699e0552749d291b0d171873a48652d |
| SHA256 | a0d2e281a7ae62966f8fad1e652cee39cd6b7ee8a55f76dd6f393f80a44f1b03 |
| SHA512 | 115e43ed03c28d91c115af0c0095f7965b0c16d366859b4b140b80da33698fbe33f3990ea3704539e3f6d74d87e5942a8506d6672a767186fc76b7b3f9058d50 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
| MD5 | e9c19dd2ef9cf3b4fba36a9a209d5015 |
| SHA1 | 602e60e01eae75f82997ec8e503b9300370c6269 |
| SHA256 | 6bc3806a33a2b4a2b6b8bd563cefc82dfad7a6fd0839dac836da42dcce823acc |
| SHA512 | 17a2aca7e2ff0c9f784e62d3cf81ebc16307e03ae74749984b9901915757bff708a61a9d756498519ff5530e45f1289a3fc65caabd8e8b425e80379747154f9d |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe5e6290.TMP
| MD5 | a0a9d45d20420679550359128136edcf |
| SHA1 | 1af9289a99aaa9fed2dfbdee8548cd79c88207f8 |
| SHA256 | 9ba5245b60679603cd355c36d82497c8b731118e79c358838ae85417a94d9fe3 |
| SHA512 | 6ab06fa86aa72594dee3110abd08ed344d9e71803c6d5011a997c64b5260f065353f7911fc7c8210facf4ee81c7223e8e8aa42e20c8b5e106267f525078b48ae |
memory/2860-197-0x00000000004B0000-0x00000000010C2000-memory.dmp
memory/640-208-0x00000000004B0000-0x00000000010C2000-memory.dmp
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace
| MD5 | 28e57e55fab2de3c534b29f49d206e8a |
| SHA1 | bd927861afd0f1016b87259e71aecf2d624b0892 |
| SHA256 | d1d1186b4501ede8a92c0487d1c052387e9b0a67a297f8a96215345104e8efe9 |
| SHA512 | e08fa85a5f2b7b8b6ce5057a9549d2aa15f706662bf4e64516d328b7620c9f6ec2c5b60664476a783d9abc7e6e53c22af0569ec5d4f4a7a2c8197320ccfca75a |
memory/3484-229-0x0000000000300000-0x0000000000F12000-memory.dmp
C:\ProgramData\AnyDesk\system.conf
| MD5 | ad863da2ffaf13b2104b90144917c271 |
| SHA1 | 68d4d0217ba15ea909a3f543565b7420d8519b1c |
| SHA256 | 1d6909ba05dd9547960deaa1236882cab46725b33d42e4cff884e4ee4e150eee |
| SHA512 | 30cc92866c93a17a3e7b9f294c77c1300f9fa6e0f48b4d26d1c4dd67edc324a301817c1a4298000235b97455d4f20f9578f8aba78e186c508beb21faf67b26bf |
memory/1840-244-0x0000000000300000-0x0000000000F12000-memory.dmp
memory/4404-246-0x0000000000300000-0x0000000000F12000-memory.dmp
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace
| MD5 | b1ad0ca19ac859732fd6ff5c834ca308 |
| SHA1 | 11d9d535845e4b2b949c562f75581080cdca249c |
| SHA256 | e74a87e37de3351aae464a315aa0ed62eb28c78ec7bc0928e531e2b3d4f65494 |
| SHA512 | bedc5cec9388a6a930c1033108ba4990d906bf11d8329c0328cc50a38f12ceb8082ded4c40cac27b0837187643d357268f19709f14295e71ff9e0c1d4a4d46ab |
memory/640-249-0x00000000004B0000-0x00000000010C2000-memory.dmp
C:\ProgramData\AnyDesk\system.conf
| MD5 | 03f39fcc9fd71a0ee90cafa5ca32faa7 |
| SHA1 | d814b9ca325685370d3aaa4ed5e9e0e5ce70f164 |
| SHA256 | d920a9c58c346b69ef4555bc03ac6c92d1a7a127c8c942db244f078ab40c69e3 |
| SHA512 | 7f1d93310b229fb98cc1a1758fd7dae42313cc1384196aa900ad98edc3ca5cdd7724ae92cdea9aaaf100a1745d1fb75cc54ff0dbeb62e19a619e579d77c9c7e5 |
C:\ProgramData\AnyDesk\system.conf
| MD5 | dc2155e03e49827e2d1329f4c7248c94 |
| SHA1 | 840bcd81fe7fc7eb7620e5ecc10daf4977e98837 |
| SHA256 | 8572a7ab7627c6ed52bfdc376815c402160bc0cf05dedea02d904bebc9088e67 |
| SHA512 | c6253d267a82c0a845f09660a7dcbcdd3158987e68a1a114306ce87b0f08faad675ed6471935b68b39620e5c6efae0a0c702f2bbddbdfb91f38a5640070a160d |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\75fdacd8330bac18.customDestinations-ms
| MD5 | 23d5c74fcfd7c341f9be0f04d6fdd4cf |
| SHA1 | 3f83909ac5539ff02aa924685541c237e737496d |
| SHA256 | caba08a52482816479af0438ea20a0264dfd36240a5811b5769f620c651643b1 |
| SHA512 | 7dc7955a66547ebc4c4e353cdebd47ab830d4b8f04ee66ed4cc6ae3c6f4e4af69f2f9eb5c29b752176384d27e3224165efcb54e05bd3df0f7bcc092e6c2ffaa3 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\75fdacd8330bac18.customDestinations-ms
| MD5 | 8f2111503651235e4a97691feb13da58 |
| SHA1 | b51bcff88447e32240dc2963339b022983c60583 |
| SHA256 | 2f9578e5aba4c57b43bd0f09d062a47468f566eae87d1654ea3f0e5b32eb71dc |
| SHA512 | d638c3829cf2eb0b1313669e0c4a3bb5826727e30f8fd1154d15184c7b0968be1b905f6dd0be9bba1e678831bd485c90328b9fdf3b9de28d637a2a172c7ea21a |
\??\c:\users\admin\appdata\roaming\anydesk\printer_driver\v4.cab
| MD5 | 5a4f0869298454215cccf8b3230467b3 |
| SHA1 | 924d99c6bf1351d83b97df87924b482b6711e095 |
| SHA256 | 5214e8ff8454c715b10b448e496311b4ff18306ecf9cbb99a97eb0076304ce9a |
| SHA512 | 0acf25d5666113ce4b39aa4b17ce307bef1a807af208560471a508d1ecadfa667d80f97c191e187b8ea6af02128d55685a4dd0ddc6dd5aabe8b460f6bc727eee |
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
| MD5 | 45746c5407e7689edca88f651d16b90f |
| SHA1 | cd5fdbe383522dd1c134f3a17c4a4d3f416f859d |
| SHA256 | b6c2d1d011c979e1ec2b6f0bb5e87e5d6862745d3bbce62866133265cdda3d72 |
| SHA512 | 87a1f8536943806a5bc5d30a398f8f5ddad8703357129c83aa3bdea61b821901417423165ebb3d1f08de42fb034403a8dae2cd64a095fe52f75d25ea9c592227 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\P3IPIL10MU7O99KXX5AO.temp
| MD5 | 6a5e216359adbb78975b95693e4cbbca |
| SHA1 | 180de1380108fcd3d25fec7169941c62ed7c4e43 |
| SHA256 | 9a27f7a710dfd204261b0351f73c7fc4723189334a8962c9d610e4c553f454b0 |
| SHA512 | 7526bc3ad61eea87516d3204a38e0e263882ae1d66f73a6e9fcc1cfd95161d7455634b83312d7c3d0615156265fbddcb7a91425265da92269801b4d9c6f31f43 |
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
| MD5 | 22b9e4e628573bdac8cb04791f575ad2 |
| SHA1 | 2446b2c4343ca89d1aa687718c7734d695784ccf |
| SHA256 | c5968aa38c37ee9e4956d04bae2e1334535f171259efacaa914ddfe587f81059 |
| SHA512 | c4f7b0387d64cd67d0a452d25bd737e1f69af73f010510eb33d8278335e44a25b882eaae95d85535fbde69081b88a0044ce642dcc149a68aa9d1eea061f1b730 |
\??\c:\users\admin\appdata\roaming\anydesk\printer_driver\anydeskprintdriver.inf
| MD5 | d4ca3f9ceeb46740c6c43826d94aba18 |
| SHA1 | d863cb54ad2fa0cfc0329954cbe49f70f49fdb87 |
| SHA256 | 494e4351b85d2821e53a22434f51a4186aa0f7be5724922fc96dfb16687ad37c |
| SHA512 | be08bc144ee2a491fbc80449b4339c01871c6e7d2ddc0e251475d8e426220c6ef35f67698b0586156f0a62b22db764c43842f577b82c3f9e4e93957f9d617db4 |
memory/2860-322-0x00000000004B4000-0x0000000000DC3000-memory.dmp
memory/2860-321-0x00000000004B0000-0x00000000010C2000-memory.dmp
\??\c:\users\admin\appdata\roaming\anydesk\printer_driver\AnyDeskPrintDriver.cat
| MD5 | 6d1663f0754e05a5b181719f2427d20a |
| SHA1 | 5affb483e8ca0e73e5b26928a3e47d72dfd1c46e |
| SHA256 | 12af5f4e8fc448d02bcfd88a302febe6820a5a497157ef5dca2219c50c1621e3 |
| SHA512 | 7895f6e35591270bfa9e373b69b55389d250751b56b7ea0d5b10ab770283b8166182c75dca4ebbecdd6e9790dbbfda23130fb4f652545fd39c95619b77195424 |
\??\c:\users\admin\appdata\roaming\anydesk\PRINTE~1\AnyDeskPrintDriverRenderFilter.dll
| MD5 | 1e4faaf4e348ba202dee66d37eb0b245 |
| SHA1 | bb706971bd21f07af31157875e0521631ecf8fa5 |
| SHA256 | 3aa636e7660be17f841b7f0e380f93fb94f25c62d9100758b1d480cbb863db9d |
| SHA512 | 008e59d645b30add7d595d69be48192765dac606801e418eeb79991e0645833abeacfc55aa29dae52dc46aaf22b5c6bc1a9579c2005f4324bece9954ebb182ba |
\??\c:\users\admin\appdata\roaming\anydesk\PRINTE~1\AnyDeskPrintDriverRenderFilter-PipelineConfig.xml
| MD5 | b76df597dd3183163a6d19b73d28e6d3 |
| SHA1 | 9f7d18a7e09b3818c32c9654fb082a784be35034 |
| SHA256 | cba7c721b76bb7245cd0f1fbfdf85073d57512ead2593050cad12ce76886ac33 |
| SHA512 | 6f74ad6bbbb931fe78a6545bb6735e63c2c11c025253a7cb0c4605e364a1e3ac806338bb62311d715bf791c5a5610ee02942ff5a0280282d68b93708f1317c69 |
\??\c:\users\admin\appdata\roaming\anydesk\PRINTE~1\AnyDeskPrintDriver-manifest.ini
| MD5 | 0d7876b516b908aab67a8e01e49c4ded |
| SHA1 | 0900c56619cd785deca4c302972e74d5facd5ec9 |
| SHA256 | 98933de1b6c34b4221d2dd065715418c85733c2b8cb4bd12ac71d797b78a1753 |
| SHA512 | 6874f39fff34f9678e22c47b67f5cd33b825c41f0b0fd84041450a94cc86cc94811293ba838f5267c9cd167d9abcf74e00a2f3c65e460c67e668429403124546 |
C:\Users\Admin\AppData\Local\Temp\{d5f9fbd0-1fae-624a-9f70-795c021e4eb3}\SET801F.tmp
| MD5 | e0d32d133d4fe83b0e90aa22f16f4203 |
| SHA1 | a06b053a1324790dfd0780950d14d8fcec8a5eb9 |
| SHA256 | 6e996f3523bcf961de2ff32e5a35bcbb59cb6fe343357eff930cd4d6fa35f1f4 |
| SHA512 | c0d24104d0b6cb15ff952cbef66013e96e5ed2d4d3b4a17aba3e571a1b9f16bd0e5c141e6aabac5651b4a198dbd9e65571c8c871e737eb5dcf47196c87b8907b |
memory/3184-392-0x00000000004B0000-0x00000000010C2000-memory.dmp
memory/404-393-0x00000000004B0000-0x00000000010C2000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | a98b8a8c2857d54c97d5291464ba55b2 |
| SHA1 | d6246448c61f98348b1be352bfb2a41ba7641896 |
| SHA256 | f8715860ba4d2f0388a9eef83aa2bfcf167dd782c109b46574ba9296731e74af |
| SHA512 | 7f3e260d1550f88b16afe957bd48a4bda1766d9ec84cf968d36ceace830849bd0ce44a54618580cfc15d6092a508b8b052babaa1833fa6bac1a9808efe4845a7 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
| MD5 | a49f41fb522d7481162c32ea569cfb78 |
| SHA1 | eb2d0968ccf6a9d82c0b343d96eb45f83d7f3e05 |
| SHA256 | 26689daedc3fc6c91308246e2c2983800d2a9531dd1e53ab20ece617e48238ce |
| SHA512 | 96ae6830dcea25a40a998d867d8b34ac7500dad49b580ea0a663318da50d84250f1decfa905ff6d2d0e365441b7c953553280d6803794adb6fae04d4e9920034 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1
| MD5 | a4c009c911b6186d0d57db9645c66444 |
| SHA1 | cc70d0ce0e3172f5b024c888fc931eef49c316b8 |
| SHA256 | b6776fbf525e054994dc0fc055fe97410c49b088329869f2137796071de5488f |
| SHA512 | 3efad6c7052f6c2b64121b64807d19b6f8831952132698fa694f3f210878a975ba94ea7fb3488036cccbc77869d384d06ec7107fbfe243d945082679d465e40e |
memory/3484-492-0x0000000000300000-0x0000000000F12000-memory.dmp
memory/3184-496-0x00000000004B0000-0x00000000010C2000-memory.dmp
memory/404-498-0x00000000004B0000-0x00000000010C2000-memory.dmp
memory/4404-500-0x0000000000300000-0x0000000000F12000-memory.dmp
memory/1840-499-0x0000000000300000-0x0000000000F12000-memory.dmp
memory/4404-503-0x0000000000300000-0x0000000000F12000-memory.dmp
memory/3484-507-0x0000000000300000-0x0000000000F12000-memory.dmp
memory/1576-510-0x0000000000300000-0x0000000000F12000-memory.dmp
memory/4404-511-0x0000000000300000-0x0000000000F12000-memory.dmp
memory/3484-515-0x0000000000300000-0x0000000000F12000-memory.dmp
memory/1576-518-0x0000000000300000-0x0000000000F12000-memory.dmp
memory/1576-526-0x0000000000300000-0x0000000000F12000-memory.dmp
memory/3484-529-0x0000000000300000-0x0000000000F12000-memory.dmp